When I try to enabled Azure Disk Encryption on an Azure Windows Server 2022 VM I get the following error:
*Failed to enable Azure Disk Encryption on the VM with the following exception details:Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: ' 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost()
*
I have enabled Access Policies on the KeyVault. I'm following the instructions here:
https://www.starwindsoftware.com/blog/encrypt-your-azure-vm-with-azure-disk-encryption
The KeyVault is in the same tenant as the VM.
I have JIT enabled on the VM. Not sure if that's an issue.
Any ideas?
I tried to reproduce the same in my environment I got the same error like below:
Failed to enable Azure Disk Encryption on the VM with the followingexceptiondetails:Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException:> The fault reason was: ' 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost()
Note : Windows Server 2022 and Windows 11 do not support an RSA 2048 bit key Check this.
When I created Azure Windows Server 2019 VM Azure Disk Encryption is deployed successfully like below:
When I try to check in server BitLocker drive encryption Bitlocker is enabled in the Azure VM and the disk is encrypting successfully like below:
Related
Today I accessed my VM on Azure and it was very slow, so I decided to upgrade it. I went to Size, selected a level up in RAM memory and CPU and then I clicked on the button "Resize". After waiting a few minutes, I got a fail message saying: Failed to resize the virtual machine 'xxx' to size 'xxx'. Error: Unknown error encountered when retrieving secret from the Key Vault with URL: xxx.
Since then I can't start my virtual machine, how can I solve this problem?
Thanks.
[EDIT] Apparently, I just need to update the secretURL for a key vault that I've created, I just don't know-how.
I would assume VM is having issues accessing the Key Vault. Can you try the following if possible?
Deallocated the VM to full stop.
Then start it back up
Check that the Key Vault and secret are still the same and have not been deleted or changed.
Check the access to the Key vault. The following documents may help with this.
Creating and configuring a key vault for Azure Disk Encryption
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#networking-requirements
In the meantime, please help me perform a quick check and log into the ‘serial console’ of this VM and confirm if you’re able to get into the ‘commandprompt’ from the ‘SAC’ mode: https://learn.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-windows
Option2 Step 1: On portal select Key Vault à “Access Policy” and ensure that “Azure Disk Encryption for volume encryption” is enabled. If not, enable it, save changes and try to Start the VM again.
Step 2: If “Azure Disk Encryption for volume encryption” is already checked , make sure that “secret “ is present under the Key Vault and it has a “version” of in enabled state. If there is any expiration date set for the version, make sure that we are within the expiration period.
Repair a Windows VM by using the Azure Virtual Machine repair commands: https://learn.microsoft.com/en-us/azure/virtual-machines/troubleshooting/repair-windows-vm-using-azure-virtual-machine-repair-commands
Can you try redeploying the VM that this is happening on? This will place the VM on new hardware and rule out a platform issue if it stops happening after the redeploy.
Try to remove the extension and add it back to the VM. Extension must have failed sometime. https://learn.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest
Resize virtual machines
There is similar thread discussion in SO, you may also refer to the suggestion mentioned over-there which gives some idea on your query
Issue:
Mounted ADLS gen2 container using service principal secret as secret from Azure Key Vault-backed secret scope. All good, can access the data.
Deleted secret from service principal in AAD, added new, updated Azure Key Vault secret (added the new version, disabled the old secret). All was still good, could access the data.
Restarted cluster. Unable to access mount point, error: “AADToken: HTTP connection failed for getting token from AzureAD. Http response: 401 Unauthorized”
Unmount/mount using the same config helped.
Is there a way to refresh the secret used for mount point that I could add to init scripts to avoid this issue? I would rather avoid unmounting/mounting all mount points in init scripts and was hoping that there is something like dbutils.fs.refreshMounts() that would help (refreshMounts didn't help with this particular issue).
I mounted ADLS Gen2 using service principal, oauth2.0, and azure key vault-backed secret scope, following this documentation: https://learn.microsoft.com/en-us/azure/databricks/data/data-sources/azure/azure-datalake-gen2#mount-azure-data-lake-gen2
Also - out of curiosity: does anybody know how long a token to mount to ADLS Gen2 lives? As long as the cluster did not restart, I was able to access my mnt even though the secret was deleted and updated (i.e., secret was updated in AAD and Key Vault; no failures until restarting the cluster - which was more than 12 hours after the update).
This is a known limitation. Whenever you create a mount point using credentials coming from an Azure Key Vault backed secret scope, the credentials will be stored in the mount point and will never be refreshed again.
This is a one-time read activity on mount point creation time. So each time you rotate credentials in Azure Key Vault you need to re-create the mount points to refresh the credentials there.
I would suggest you to provide feedback on the same:
Azure Databricks - Feedback
All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
We have our server instances running both on AWS and Azure for different clients. We want to use a key management service to safegaurd our production keys. Can Azure Key Vault be used as a solution for this ? Will it be supported for server running on AWS instance ?
Yes you can use Azure key Vault to secure keys for your app running in both AWS and Azure.
If you look at the pseudo code snippet to access Azure Key Vault,
//extend KeyVaultCredentials class and override doAuthenticate method.
// create a configuration object
Configuration config = KeyVaultConfiguration.configure(null, keyVaultCredentials);
KeyVaultClient myclient = KeyVaultClientService.create(config);
//encrypt
myclient.encryptAsync(...)
//decrypt
myclient.decryptAsync(...)
As the KeyVault services are available through SDK, you should be able to access the services from anywhere. It is just that you should have valid access credentials.
Hope this helps.
I am trying to deploy an Azure HD insight Spark template using Visual Studio. The HD insight cluster accesses a Data Lake and for Data Lake Storage i have created a service principal with a certificate. I have stored the certificate in Azure Vault as a secret and trying to access it in my Azure Resource Manager Template. However, it is throwing the following error Service Principal Details are invalid
I have downloaded the certificate from a running cluster and there is nothing wrong with the certificate. I always use this certificate to create clusters through the Portal.
"reference": {
"keyVault": {
"id": "/subscriptions/e3f93473-xxx/resourceGroups/Production/providers/Microsoft.KeyVault/vaults/myvault"
},
"secretName": "certificateNew"
}
I had the same problem and managed to solve it by using the Powershell command on this page to convert the PFX certificate to a Base-64 string value. I then uploaded the string value to a secret in Key Vault.
$servicePrincipalCertificateBase64 = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes(path-to-servicePrincipalCertificatePfxFile))
There are several scripts available on Github that convert a PFX to Base-64 and upload it to a Key Vault that you specify. I tried some of them, but somehow they converted to a format that caused problems while depoying the ARM template. The method I mentioned solved the problem in my case.
I got a problem with upgrading my deployment to windows server 2012, my deploy works fine with osfamily=2 and compiled with .net4, but failed at .net4.5 and osfamily=3,
the exception I saw when remote to the vm is "Keyset does not exist", seems to related to some certificates. My program using the certificates to encrypt some stream and should be able to using this certs to decode this stream after I deploy it.
I checked the certs on vm, it is installed fine, in the right place.
So I suspect this is an issue with the different secure policy with 2012 that prevent my role to get the key in the certs.
this blocks me for a while so Thank a lot for any clue!
Keyset does not exist typically refers to an error when your program is trying to access a private key of a certificate and is unable to do so, either because the private key does not exist or because it has no permissions to access it
You will need to find the certificate in question in your certificate store, verify that it contains a private key (that will show up in the properties of the certificate)
And then verify that your process/application pool has permissions to access the private key by right-clicking on the certificate from the certificate store and choosing: All Tasks->Manage Private Keys. From there, make sure to add sufficient users to the allowed list
Hope this helps