Merge pull request #232520 from divargas-msft/patch-2

JamesJBarnett · web-flow · commit 92abef0749e5 · 2023-03-28T19:45:22.000-07:00
[Doc-a-thon] Updating disk-encryption-linux
diff --git a/articles/virtual-machines/linux/disk-encryption-linux.md b/articles/virtual-machines/linux/disk-encryption-linux.md
@@ -37,34 +37,33 @@ In all cases, you should [take a snapshot](snapshot-copy-managed-disk.md) and/or
 
 Azure Disk Encryption can be enabled and managed through the [Azure CLI](/cli/azure) and [Azure PowerShell](/powershell/azure/new-azureps-module-az). To do so, you must install the tools locally and connect to your Azure subscription.
 
-### Azure CLI
+# [Azure CLI](#tab/azcliazure)
 
 The [Azure CLI 2.0](/cli/azure) is a command-line tool for managing Azure resources. The CLI is designed to flexibly query data, support long-running operations as non-blocking processes, and make scripting easy. You can install it locally by following the steps in [Install the Azure CLI](/cli/azure/install-azure-cli).
 
- 
-
 To [Sign in to your Azure account with the Azure CLI](/cli/azure/authenticate-azure-cli), use the [az login](/cli/azure/reference-index#az-login) command.
 
 ```azurecli
 az login
 ```
 
 If you would like to select a tenant to sign in under, use:
-    
+
 ```azurecli
 az login --tenant <tenant>
 ```
 
 If you have multiple subscriptions and want to specify a specific one, get your subscription list with [az account list](/cli/azure/account#az-account-list) and specify with [az account set](/cli/azure/account#az-account-set).
-     
+
 ```azurecli
 az account list
 az account set --subscription "<subscription name or ID>"
 ```
 
 For more information, see [Get started with Azure CLI 2.0](/cli/azure/get-started-with-azure-cli). 
 
-### Azure PowerShell
+# [Azure PowerShell](#tab/powershellazure)
+
 The [Azure PowerShell az module](/powershell/azure/new-azureps-module-az) provides a set of cmdlets that uses the [Azure Resource Manager](../../azure-resource-manager/management/overview.md) model for managing your Azure resources. You can use it in your browser with [Azure Cloud Shell](../../cloud-shell/overview.md), or you can install it on your local machine using the instructions in [Install the Azure PowerShell module](/powershell/azure/install-az-ps). 
 
 If you already have it installed locally, make sure you use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of [Azure PowerShell release](https://github.com/Azure/azure-powershell/releases).
@@ -89,7 +88,9 @@ To confirm the Azure Disk Encryption cmdlets are installed, use the [Get-command
 Get-command *diskencryption*
 ```
 
-For more information, see [Getting started with Azure PowerShell](/powershell/azure/get-started-azureps). 
+For more information, see [Getting started with Azure PowerShell](/powershell/azure/get-started-azureps).
+
+---
 
 ## Enable encryption on an existing or running Linux VM
 
@@ -102,7 +103,7 @@ In this scenario, you can enable encryption by using the Resource Manager templa
 
 To disable the encryption, see [Disable encryption and remove the encryption extension](#disable-encryption-and-remove-the-encryption-extension).
 
-### Enable encryption on an existing or running Linux VM using Azure CLI 
+# [Using Azure CLI](#tab/enableadecli)
 
 You can enable disk encryption on your encrypted VHD by installing and using the [Azure CLI](/cli/azure/) command-line tool. You can use it in your browser with [Azure Cloud Shell](../../cloud-shell/overview.md), or you can install it on your local machine and use it in any PowerShell session. To enable encryption on existing or running Linux VMs in Azure, use the following CLI commands:
 
@@ -131,9 +132,10 @@ https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]
      ```azurecli-interactive
      az vm encryption show --name "MySecureVM" --resource-group "MyVirtualMachineResourceGroup"
      ```
+
 To disable the encryption, see [Disable encryption and remove the encryption extension](#disable-encryption-and-remove-the-encryption-extension).
 
-### Enable encryption on an existing or running Linux VM using PowerShell
+# [Using PowerShell](#tab/enableadeps)
 
 Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet to enable encryption on a running virtual machine in Azure. Take a [snapshot](snapshot-copy-managed-disk.md) and/or back up the VM with [Azure Backup](../../backup/backup-azure-vms-encryption.md) before disks are encrypted. The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a running Linux VM.
 
@@ -151,6 +153,7 @@ Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvm
 
       Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType '[All|OS|Data]' -SequenceVersion $sequenceVersion -skipVmBackup;
      ```
+
 - **Encrypt a running VM using KEK:** You may need to add the -VolumeType parameter if you're encrypting data disks and not the OS disk. 
 
      ```azurepowershell
@@ -173,17 +176,16 @@ Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvm
 /subscriptions/[subscription-id-guid]/resourceGroups/[resource-group-name]/providers/Microsoft.KeyVault/vaults/[keyvault-name]</br> 
    > The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
 https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id] 
-    
-- **Verify the disks are encrypted:** To check on the encryption status of a VM, use the [Get-AzVmDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) cmdlet. 
-    
+
+- **Verify the disks are encrypted:** To check on the encryption status of a VM, use the [Get-AzVmDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) cmdlet.
+
      ```azurepowershell-interactive 
      Get-AzVmDiskEncryptionStatus -ResourceGroupName 'MyVirtualMachineResourceGroup' -VMName 'MySecureVM'
      ```
 
 To disable the encryption, see [Disable encryption and remove the encryption extension](#disable-encryption-and-remove-the-encryption-extension).
 
-
-### Enable encryption on an existing or running Linux VM with a template
+# [Using a Resource Manager template](#tab/enableadearm)
 
 You can enable disk encryption on an existing or running Linux VM in Azure by using the [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/encrypt-running-linux-vm-without-aad).
 
@@ -207,6 +209,8 @@ For more information about configuring the Linux VM disk encryption template, se
 
 To disable the encryption, see [Disable encryption and remove the encryption extension](#disable-encryption-and-remove-the-encryption-extension).
 
+---
+
 ## Use EncryptFormatAll feature for data disks on Linux VMs
 
 The **EncryptFormatAll** parameter reduces the time for Linux data disks to be encrypted. Partitions meeting certain criteria will be formatted, along with their current file systems, then remounted back to where they were before command execution. If you wish to exclude a data disk that meets the criteria, you can unmount it before running the command.
@@ -218,7 +222,9 @@ The **EncryptFormatAll** parameter reduces the time for Linux data disks to be e
  >If you're setting this parameter while updating encryption settings, it might lead to a reboot before the actual encryption. In this case, you will also want to remove the disk you don't want formatted from the fstab file. Similarly, you should add the partition you want encrypt-formatted to the fstab file before initiating the encryption operation. 
 
 ### EncryptFormatAll criteria
+
 The parameter goes through all partitions and encrypts them as long as they meet **all** of the criteria below:
+
 - Is not a root/OS/boot partition
 - Is not already encrypted
 - Is not a BEK volume
@@ -228,7 +234,8 @@ The parameter goes through all partitions and encrypts them as long as they meet
 
 Encrypt the disks that compose the RAID or LVM volume rather than the RAID or LVM volume.
 
-### Use the EncryptFormatAll parameter with Azure CLI
+# [Use the EncryptFormatAll parameter with Azure CLI](#tab/efacli)
+
 Use the [az vm encryption enable](/cli/azure/vm/encryption#az-vm-encryption-enable) command to enable encryption on a running virtual machine in Azure.
 
 -  **Encrypt a running VM using EncryptFormatAll:**
@@ -237,7 +244,8 @@ Use the [az vm encryption enable](/cli/azure/vm/encryption#az-vm-encryption-enab
      az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "data" --encrypt-format-all
      ```
 
-### Use the EncryptFormatAll parameter with a PowerShell cmdlet
+# [Use the EncryptFormatAll parameter with a PowerShell cmdlet](#tab/efaps)
+
 Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet with the EncryptFormatAll parameter. 
 
 **Encrypt a running VM using EncryptFormatAll:** As an example, the script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter. The resource group, VM, and key vault were created as prerequisites. Replace MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values.
@@ -254,56 +262,14 @@ $KeyVaultResourceId = $KeyVault.ResourceId;
 Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "data" -EncryptFormatAll
 ```
 
+---
 
-### Use the EncryptFormatAll parameter with Logical Volume Manager (LVM) 
-We recommend an LVM-on-crypt setup. For all the following examples, replace the device-path and mountpoints with whatever suits your use-case. This setup can be done as follows:
-
-1.  Add the data disks that will compose the VM.
-
-1. Format, mount, and add these disks to the fstab file.
-
-1. Choose a partition standard, create a partition that spans the entire drive, and then format the partition. We use symlinks generated by Azure here. Using symlinks avoids problems related to device names changing. For more information, see the [Troubleshoot Device Names problems](/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems) article.
-    
-    ```bash
-    parted /dev/disk/azure/scsi1/lun0 mklabel gpt
-    parted -a opt /dev/disk/azure/scsi1/lun0 mkpart primary ext4 0% 100%
-    
-    mkfs -t ext4 /dev/disk/azure/scsi1/lun0-part1
-    ```
-
-1. Mount the disks:
-
-    ```bash
-    mount /dev/disk/azure/scsi1/lun0-part1 /mnt/mountpoint
-    ````
-    
-    Add to fstab file:
-
-    ```bash
-    echo "/dev/disk/azure/scsi1/lun0-part1 /mnt/mountpoint ext4 defaults,nofail 0 2" >> /etc/fstab
-    ```
-    
-1. Run the Azure PowerShell [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet with -EncryptFormatAll to encrypt these disks.
-
-    ```azurepowershell-interactive
-    $KeyVault = Get-AzKeyVault -VaultName "MySecureVault" -ResourceGroupName "MySecureGroup"
-    
-    Set-AzVMDiskEncryptionExtension -ResourceGroupName "MySecureGroup" -VMName "MySecureVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -EncryptFormatAll -SkipVmBackup -VolumeType Data
-    ```
-
-    If you wish to use a key encryption key (KEK), pass the URI of your KEK and the ResourceID of your key vault to the -KeyEncryptionKeyUrl and -KeyEncryptionKeyVaultId parameters, respectively:
-
-    ```azurepowershell-interactive
-    $KeyVault = Get-AzKeyVault -VaultName "MySecureVault" -ResourceGroupName "MySecureGroup"
-    $KEKKeyVault = Get-AzKeyVault -VaultName "MyKEKVault" -ResourceGroupName "MySecureGroup"
-    $KEK = Get-AzKeyVaultKey -VaultName "myKEKVault" -KeyName "myKEKName"
-    
-    Set-AzVMDiskEncryptionExtension -ResourceGroupName "MySecureGroup" -VMName "MySecureVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -EncryptFormatAll -SkipVmBackup -VolumeType Data -KeyEncryptionKeyUrl $$KEK.id -KeyEncryptionKeyVaultId $KEKKeyVault.ResourceId
-    ```
+### Use the EncryptFormatAll parameter with Logical Volume Manager (LVM)
 
-1. Set up LVM on top of these new disks. Note the encrypted drives are unlocked after the VM has finished booting. So, the LVM mounting will also have to be subsequently delayed.
+We recommend an LVM-on-crypt setup. For detailed instructions about the LVM on crypt configuration, see [Configure LVM and RAID on ADE encrypted devices](/azure/virtual-machines/linux/how-to-configure-lvm-raid-on-crypt).
 
 ## New VMs created from customer-encrypted VHD and encryption keys
+
 In this scenario, you can enable encrypting by using PowerShell cmdlets or CLI commands. 
 
 Use the instructions in the Azure Disk encryption same scripts for preparing pre-encrypted images that can be used in Azure. After the image is created, you can use the steps in the next section to create an encrypted Azure VM.
@@ -315,9 +281,8 @@ Use the instructions in the Azure Disk encryption same scripts for preparing pre
 >
 > Encrypting or disabling encryption may cause the VM to reboot.
 
+### Use Azure PowerShell to encrypt VMs with pre-encrypted VHDs
 
-
-### Use Azure PowerShell to encrypt VMs with pre-encrypted VHDs 
 You can enable disk encryption on your encrypted VHD by using the PowerShell cmdlet [Set-AzVMOSDisk](/powershell/module/Az.Compute/Set-AzVMOSDisk#examples). The example below gives you some common parameters.
 
 ```azurepowershell
@@ -330,7 +295,7 @@ New-AzVM -VM $VirtualMachine -ResourceGroupName "MyVirtualMachineResourceGroup"
 
 You can add a new data disk using [az vm disk attach](add-disk.md), or [through the Azure portal](attach-disk-portal.md). Before you can encrypt, you need to mount the newly attached data disk first. You must request encryption of the data drive since the drive will be unusable while encryption is in progress. 
 
-### Enable encryption on a newly added disk with Azure CLI
+# [Using Azure CLI](#tab/adedatacli)
 
  If the VM was previously encrypted with "All" then the --volume-type parameter should remain "All". All includes both OS and data disks. If the VM was previously encrypted with a volume type of "OS", then the --volume-type parameter should be changed to "All" so that both the OS and the new data disk will be included. If the VM was encrypted with only the volume type of "Data", then it can remain "Data" as demonstrated below. Adding and attaching a new data disk to a VM is not sufficient preparation for encryption. The newly attached disk must also be formatted and properly mounted within the VM prior to enabling encryption. On Linux the disk must be mounted in /etc/fstab with a [persistent block device name](/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems).  
 
@@ -348,9 +313,9 @@ In contrast to PowerShell syntax, the CLI does not require the user to provide a
      az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault  "MySecureVault" --key-encryption-key "MyKEK_URI" --key-encryption-keyvault "MySecureVaultContainingTheKEK" --volume-type "Data"
      ```
 
-### Enable encryption on a newly added disk with Azure PowerShell
+# [Using Azure PowerShell](#tab/adedataps)
+
  When using PowerShell to encrypt a new disk for Linux, a new sequence version needs to be specified. The sequence version has to be unique. The script below generates a GUID for the sequence version. Take a [snapshot](snapshot-copy-managed-disk.md) and/or back up the VM with [Azure Backup](../../backup/backup-azure-vms-encryption.md) before disks are encrypted. The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a newly added data disk.
- 
 
 -  **Encrypt data volumes of a running VM:** The script below initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, and key vault should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MySecureVM, and MySecureVault with your values. Acceptable values for the -VolumeType parameter are All, OS, and Data. If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to "All" so that both the OS and the new data disk will be included.
 
@@ -366,6 +331,7 @@ In contrast to PowerShell syntax, the CLI does not require the user to provide a
 
       Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType 'data' –SequenceVersion $sequenceVersion -skipVmBackup;
       ```
+
 - **Encrypt data volumes of a running VM using KEK:** Acceptable values for the -VolumeType parameter are All, OS, and Data. If the VM was previously encrypted with a volume type of "OS" or "All", then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.
 
      ```azurepowershell
@@ -389,8 +355,9 @@ In contrast to PowerShell syntax, the CLI does not require the user to provide a
    > The syntax for the value of the key-encryption-key parameter is the full URI to the KEK as in:
 https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id] 
 
-## Disable encryption and remove the encryption extension
+---
 
+## Disable encryption and remove the encryption extension
 
 You can disable the Azure disk encryption extension, and you can remove the Azure disk encryption extension. These are two distinct operations.
 
@@ -441,7 +408,6 @@ You can remove the encryption extension using Azure PowerShell or the Azure CLI.
      az vm extension delete -g "MyVirtualMachineResourceGroup" --vm-name "MySecureVM" -n "AzureDiskEncryptionForLinux"
      ```
 
-
 ## Unsupported scenarios
 
 Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:
