|
| 1 | +--- |
| 2 | +title: How to verify encryption status for Linux |
| 3 | +description: This article provides instructions on verifying the encryption status from platform and OS level. |
| 4 | +author: kailashmsft |
| 5 | +ms.service: security |
| 6 | +ms.topic: article |
| 7 | +ms.author: kaib |
| 8 | +ms.date: 03/11/2020 |
| 9 | + |
| 10 | +ms.custom: seodec18 |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | + |
| 15 | + |
| 16 | +# How to verify encryption status for Linux |
| 17 | + |
| 18 | +**This scenario is applicable to ADE dual-pass and single-pass extensions.** |
| 19 | +This Document scope is to validate the encryption status of a virtual machine using different methods. |
| 20 | + |
| 21 | +### Environment |
| 22 | + |
| 23 | +- Linux distributions |
| 24 | + |
| 25 | +### Procedure |
| 26 | + |
| 27 | +1. A virtual machine has been encrypted using dual-pass or single-pass. |
| 28 | +2. Once the encryption process is triggered (in progress) or has been completed, we can validate the encryption status using different methods defined below |
| 29 | + |
| 30 | +### Verification |
| 31 | + |
| 32 | +The encryption status validation can be done from the Portal, PowerShell, AZ CLI and/or within the VM (OS side). Below the different validations methods: |
| 33 | + |
| 34 | +## Using the Portal: |
| 35 | + |
| 36 | +- You can validate the encryption status of a virtual machine by taking a look at the extensions blade in the corresponding virtual machine from the Portal. |
| 37 | +Inside the **Extensions** blade, you will see the ADE extension listed. You can click it and take a look at the **status message** which will indicate the current encryption status: |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | +In the list of extensions, you will also be able to see the corresponding ADE extension version. Version 0.x corresponds to ADE Dual-Pass and version 1.x corresponds to ADE Single-pass |
| 42 | +You can also get further details clicking on the extension and then on *View detailed status*, once that's done, you will be able to see a more detailed status of the encryption process in json format as shown in the image below: |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | +- Another way of validating the encryption status is by taking a look at the **Disks** blade. Over there, you get to see if encryption is enabled on each disk attached to a particular VM. |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +>[!NOTE] |
| 53 | +> As a warning, this status is not too accurate. This just means the disks have encryption settings stamped but not that they were actually encrypted at OS level. Unfortunately by the way the ADE extension design works today, the disks get stamped first and encrypted later. If the encryption process fails, the disks may end up stamped but not encrypted. To confirm if the disks are truly encrypted, you can double check the encryption of each disk at OS level, following instructions in one of the upcoming sections. |
| 54 | +
|
| 55 | +## Using PowerShell: |
| 56 | + |
| 57 | +You can validate the **general** encryption status of an encrypted VM using the following PowerShell commands: |
| 58 | + |
| 59 | +```azurepowershell |
| 60 | + $VMNAME="VMNAME" |
| 61 | + $RGNAME="RGNAME" |
| 62 | + Get-AzVmDiskEncryptionStatus -ResourceGroupName ${RGNAME} -VMName ${VMNAME} |
| 63 | +``` |
| 64 | + |
| 65 | +>[!NOTE] |
| 66 | +> Replace the "VMNAME" and "RGNAME" variables accordingly |
| 67 | +
|
| 68 | + |
| 69 | + |
| 70 | +You can capture the encryption settings from each individual disk using the following PowerShell commands: |
| 71 | + |
| 72 | +**Single-Pass:** |
| 73 | +In the case of single-pass the encryption settings are stamped in each of the disks (OS and Data). |
| 74 | +You can capture the OS disk encryption settings in single pass as follows: |
| 75 | + |
| 76 | +``` powershell |
| 77 | +$RGNAME = "RGNAME" |
| 78 | +$VMNAME = "VMNAME" |
| 79 | +
|
| 80 | +$VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME} |
| 81 | + $Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $VM.StorageProfile.OsDisk.Name |
| 82 | + Write-Host "=============================================================================================================================================================" |
| 83 | + Write-Host "Encryption Settings:" |
| 84 | + Write-Host "=============================================================================================================================================================" |
| 85 | + Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled |
| 86 | + Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion |
| 87 | + Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id |
| 88 | + Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl |
| 89 | + Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl |
| 90 | + Write-Host "=============================================================================================================================================================" |
| 91 | +``` |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +In case the disk does not have encryption settings stamped, the output will be empty as shown below: |
| 96 | + |
| 97 | + |
| 98 | + |
| 99 | +>[!NOTE] |
| 100 | +> Replace the $VMNAME and $RGNAME variables accordingly |
| 101 | +
|
| 102 | +Capture Data disk(s) encryption settings: |
| 103 | + |
| 104 | +```azurepowershell |
| 105 | +$RGNAME = "RGNAME" |
| 106 | +$VMNAME = "VMNAME" |
| 107 | +
|
| 108 | +$VM = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME} |
| 109 | + clear |
| 110 | + foreach ($i in $VM.StorageProfile.DataDisks|ForEach-Object{$_.Name}) |
| 111 | + { |
| 112 | + Write-Host "=============================================================================================================================================================" |
| 113 | + Write-Host "Encryption Settings:" |
| 114 | + Write-Host "=============================================================================================================================================================" |
| 115 | + Write-Host "Checking Disk:" $i |
| 116 | + $Disk=(Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $i) |
| 117 | + Write-Host "Encryption Enable: " $Sourcedisk.EncryptionSettingsCollection.Enabled |
| 118 | + Write-Host "Encryption KeyEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl; |
| 119 | + Write-Host "Encryption DiskEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl; |
| 120 | + Write-Host "=============================================================================================================================================================" |
| 121 | + } |
| 122 | +``` |
| 123 | + |
| 124 | + |
| 125 | + |
| 126 | +>[!NOTE] |
| 127 | +> Replace the "VMNAME" and "RGNAME" variables accordingly |
| 128 | +
|
| 129 | +**Dual-Pass**: |
| 130 | +In the case of dual pass, the encryption settings are stamped in the VM model and not on in individual disk. |
| 131 | + |
| 132 | +To verify the encryption settings were stamped in dual-pass you can use the following commands: |
| 133 | + |
| 134 | +```azurepowershell |
| 135 | +$RGNAME = "RGNAME" |
| 136 | +$VMNAME = "VMNAME" |
| 137 | +
|
| 138 | +$vm = Get-AzVm -ResourceGroupName ${RGNAME} -Name ${VMNAME}; |
| 139 | +$Sourcedisk = Get-AzDisk -ResourceGroupName ${RGNAME} -DiskName $VM.StorageProfile.OsDisk.Name |
| 140 | +clear |
| 141 | +Write-Host "=============================================================================================================================================================" |
| 142 | +Write-Host "Encryption Settings:" |
| 143 | +Write-Host "=============================================================================================================================================================" |
| 144 | +Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled |
| 145 | +Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion |
| 146 | +Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id |
| 147 | +Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl |
| 148 | +Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl |
| 149 | +Write-Host "=============================================================================================================================================================" |
| 150 | +``` |
| 151 | + |
| 152 | +>[!NOTE] |
| 153 | +> Replace the "VMNAME" and "RGNAME" variables accordingly |
| 154 | +
|
| 155 | + |
| 156 | + |
| 157 | +## Using AZ CLI: |
| 158 | + |
| 159 | +You can validate the **general** encryption status of an encrypted VM using the following AZ CLI commands: |
| 160 | + |
| 161 | +```bash |
| 162 | +VMNAME="VMNAME" |
| 163 | +RGNAME="RGNAME" |
| 164 | +az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus" |
| 165 | +``` |
| 166 | + |
| 167 | +>[!NOTE] |
| 168 | +> Replace the "VMNAME" and "RGNAME" variables accordingly |
| 169 | +
|
| 170 | + |
| 171 | + |
| 172 | +Single Pass: |
| 173 | +You can validate the encryption settings from each individual disk using the following AZ CLI commands: |
| 174 | + |
| 175 | +```bash |
| 176 | +az vm encryption show -g ${RGNAME} -n ${VMNAME} --query "disks[*].[name, statuses[*].displayStatus]" -o table |
| 177 | +``` |
| 178 | + |
| 179 | +>[!NOTE] |
| 180 | +> Replace the $VMNAME and $RGNAME variables accordingly |
| 181 | +
|
| 182 | + |
| 183 | + |
| 184 | +>[!IMPORTANT] |
| 185 | +> In case the disk does not have encryption settings stamped, it will be shown as |
| 186 | + "Disk is not encrypted" |
| 187 | + |
| 188 | +Detailed Status and Encryption settings: |
| 189 | + |
| 190 | +OS Disk: |
| 191 | + |
| 192 | +```bash |
| 193 | +RGNAME="RGNAME" |
| 194 | +VMNAME="VNAME" |
| 195 | + |
| 196 | +disk=`az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.osDisk.name -o tsv` |
| 197 | +for disk in $disk; do \ |
| 198 | +echo "=============================================================================================================================================================" |
| 199 | +echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \ |
| 200 | +echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \ |
| 201 | +echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \ |
| 202 | +echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \ |
| 203 | +echo "=============================================================================================================================================================" |
| 204 | +done |
| 205 | +``` |
| 206 | + |
| 207 | + |
| 208 | + |
| 209 | +Data Disks: |
| 210 | + |
| 211 | +```bash |
| 212 | +RGNAME="RGNAME" |
| 213 | +VMNAME="VMNAME" |
| 214 | +az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} --query "substatus" |
| 215 | + |
| 216 | +for disk in `az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.dataDisks[].name -o tsv`; do \ |
| 217 | +echo "=============================================================================================================================================================" |
| 218 | +echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \ |
| 219 | +echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \ |
| 220 | +echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \ |
| 221 | +echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \ |
| 222 | +echo "=============================================================================================================================================================" |
| 223 | +done |
| 224 | +``` |
| 225 | + |
| 226 | + |
| 227 | + |
| 228 | +Dual Pass: |
| 229 | + |
| 230 | +``` bash |
| 231 | +az vm encryption show --name ${VMNAME} --resource-group ${RGNAME} -o table |
| 232 | +``` |
| 233 | + |
| 234 | + |
| 235 | +You can also check the Encryption settings on the VM Model Storage profile of the OS disk: |
| 236 | + |
| 237 | +```bash |
| 238 | +disk=`az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.osDisk.name -o tsv` |
| 239 | +for disk in $disk; do \ |
| 240 | +echo "=============================================================================================================================================================" |
| 241 | +echo -ne "Disk Name: "; az disk show -g ${RGNAME} -n ${disk} --query name -o tsv; \ |
| 242 | +echo -ne "Encryption Enabled: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.enabled -o tsv; \ |
| 243 | +echo -ne "Disk Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].diskEncryptionKey.secretUrl -o tsv; \ |
| 244 | +echo -ne "key Encryption Key: "; az disk show -g ${RGNAME} -n ${disk} --query encryptionSettingsCollection.encryptionSettings[].keyEncryptionKey.keyUrl -o tsv; \ |
| 245 | +echo "=============================================================================================================================================================" |
| 246 | +done |
| 247 | +``` |
| 248 | + |
| 249 | + |
| 250 | + |
| 251 | +## From the Linux VM OS: |
| 252 | +Validate if the data disk partitions are encrypted (and the OS disk is not). When a partition/disk is encrypted it's displayed as **crypt** type, when it's not encrypted it is displayed as **part/disk** type |
| 253 | + |
| 254 | +``` bash |
| 255 | +lsblk |
| 256 | +``` |
| 257 | + |
| 258 | + |
| 259 | + |
| 260 | +You can get further details using the following "lsblk" variant. Using this one, you'll see a **crypt** type layer that is mounted by the extension, the following example shows Logical Volumes and normal disks having a **crypto\_LUKS FSTYPE**. |
| 261 | + |
| 262 | +```bash |
| 263 | +lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT |
| 264 | +``` |
| 265 | + |
| 266 | + |
| 267 | +As an extra step, you can also validate if the data disk has any dmcrypt keys loaded |
| 268 | + |
| 269 | +``` bash |
| 270 | +cryptsetup luksDump /dev/VGNAME/LVNAME |
| 271 | +``` |
| 272 | + |
| 273 | +``` bash |
| 274 | +cryptsetup luksDump /dev/sdd1 |
| 275 | +``` |
| 276 | + |
| 277 | +And which dm devices are listed as crypt |
| 278 | + |
| 279 | +```bash |
| 280 | +dmsetup ls --target crypt |
| 281 | +``` |
| 282 | + |
| 283 | +## Next Steps |
| 284 | + |
| 285 | +- [Azure Disk Encryption troubleshooting](disk-encryption-troubleshooting.md) |
0 commit comments