Share via

unable to create disk encryption

shirure param 0 Reputation points
2024-07-21T14:56:38.9633333+00:00

Select a key

Caller needs data action: 'Microsoft.KeyVault/vaults/keys/read' to perform action on resource: /subscriptions/8b36142b-c901-4202-89b7-89d1f7b06934/resourceGroups/app-grp/providers/Microsoft.KeyVault/vaults/keyvault455543. For more information, please see: https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
182 questions

2 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Nehruji R 8,181 Reputation points Microsoft External Staff Moderator
    2024-07-22T12:31:48.55+00:00

    Hello shirure param,

    Greetings! Welcome to Microsoft Q&A Platform.

    As said above. This error typically occurs when the user does not have the necessary permissions to read the keys in the Key Vault.

    Encrypting or disabling encryption may cause a VM to reboot. ( Then only necessary changes will take place)

    For Azure Disk Encryption, we can break it down into two processes - extension installation and encryption.

    Extension installation: This can be thought of as after you hit "enter" to run "Set-AzVMDiskEncryptionExtension". The install process itself should take about 5-10 minutes. Almost simultaneously, once the extension is installed, BitLocker will start checking your OS to see if it's compatible for ADE (size, formatting, partitioning, etc.), If it's not you'll error, if it is we can move to the encryption process.

    Encryption: This process is where BitLocker will prepare your OS for disk encryption (system partition created), generate protectors, communicate with the Azure Key Vault to create secrets, and return an output. Once your VM is prepared for ADE you'll receive a "successful/true" type of response for encryption. However, if your VM failed at any point when preparing for encryption, you'll receive an error message.

    Assuming all goes well, you'll receive that "successful/true" response once your VM is prepared for ADE but before encryption finishes on your disks. Encryption time depends on the size of your disk(s). As an example, if you're using a 30GB OS disk, it can take about 20minutes to encrypt. However, if you're using a 30GB OS disk along with two 1TB data disks, encryption can take longer than 20minutes.

    Additional information: Azure Disk Encryption FAQ

    Please consider checking the following factors to resolve the issue,

    1. Check if the VM meets the prerequisites for Azure Disk Encryption. Ensure that the VM is running a supported operating system and is in a supported region. You can find the list of supported VMs and operating systems in the Azure documentation.
    2. Check if the VM has the latest updates installed. Ensure that the VM has the latest updates installed for the operating system and the Azure Disk Encryption extension.
    3. Check if the VM has the required permissions. Ensure that the VM has the required permissions to access the Key Vault and the storage account.
    4. · Please ensure that "Enable access to Azure Resource Manager for Template Deployment" is checked in your Key Vault access policies. https://stackoverflow.microsoft.com/questions/205616

    https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart.

    Hope this information helps! Please let us know if you have any further queries. I’m happy to assist you further.   

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Vinodh247 34,491 Reputation points MVP Volunteer Moderator
    2024-07-21T16:28:29.0733333+00:00

    Hi shirure param,

    Thanks for reaching out to Microsoft Q&A.

    error message you are encountering indicates that the azure disk encryption process is unable to access the specified keyvault due to insufficient permissions. Specifically, the action requires the Microsoft.KeyVault/vaults/keys/read permission to read the encryption keys stored in the Key Vault.

    Check Key Vault Access Policies:

    • Ensure that the Key Vault access policies are configured correctly to allow the Azure Disk Encryption service to access the keys. You need to enable permissions for WrapKey and UnwrapKey for the service principal associated with the Azure Disk Encryption.

    Verify Key Vault Location:

    • Confirm that the Key Vault is in the same region and subscription as the virtual machine (VM) you are trying to encrypt. Azure Disk Encryption requires that both resources be co-located to function properly.

    Set Up Advanced Access Policies:

    • Use the Azure portal, PowerShell, or AzureCLI to set advanced access policies on the Key Vault. This includes enabling disk encryption and granting the necessary permissions to the Azure Disk Encryption service.

    Check for Existing Keys:

    • Ensure that the key you are trying to use for encryption exists in the Key Vault and is enabled. If the key has been deleted or disabled, you will need to create a new key or enable the existing one.

    Network Configuration:

    • If there are any network restrictions (like firewall settings), ensure that the VM can access the Key Vault. This may involve configuring the Key Vault to allow access from Microsoft Trusted Services if the firewall is enabled.

    Correct Resource Identifiers:

    • Double-check the Resource ID and the URI for the Key Vault and the Key Encryption Key (KEK) to ensure there are no typos or incorrect identifiers being used in your commands.

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.