Enabling Encryption at Host on Current VMs

Najam ul Saqib 340 Reputation points
2024-07-29T05:54:22.9166667+00:00

Hi,

I enabled encryption at host on my linux VMs by first enabling the feature at subscription level, then stopping the VM and going to disks --> advanced settings section.

But the VMs are not going away from the Defender recommendation "Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost." even though Encryption at Host has been enabled. Why is it so?

One thing I noticed in https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell&WT.mc_id=Portal-Microsoft_Azure_Security is that the encryption at host is being enabled when the VM is created from scratch not on the present VMs, could this be an issue?

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
177 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
653 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Nehruji R 8,161 Reputation points Microsoft Vendor
    2024-07-30T06:11:55.3233333+00:00

    Hello Najam ul Saqib,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you enabled Encryption at Host for your existing Linux VMs. However, the issue you’re encountering with the Defender recommendation not updating could indeed be related to how Encryption at Host is applied.

    From the documentation you referenced, it appears that Encryption at Host is typically enabled during the creation of a new VM. This means that enabling it on existing VMs might not fully integrate with all the necessary security checks and updates that Defender for Cloud performs.

    But it is possible to enable encryption at host on existing virtual machines (VMs) in Azure. There are several options available for doing this, depending on the type of VM and the operating system it is running. One option is to use Azure Disk Encryption, which is a feature of Azure that enables you to encrypt the OS and data disks of your VMs using BitLocker on Windows VMs or DM-Crypt on Linux VMs. To enable Azure Disk Encryption on an existing VM, you will need to follow the steps outlined in the Azure documentation:

    Make sure that the VM meets the prerequisites for Azure Disk Encryption.

    1. Install the Azure Disk Encryption Extension on the VM.
    2. Create an Azure Key Vault and grant the required permissions to the VM.
    3. Use Azure PowerShell or Azure CLI to enable Azure Disk Encryption on the VM.

    Another option is to use Azure Confidential Computing, which is a feature of Azure that enables you to encrypt data in use on VMs using hardware-based trusted execution environments (TEEs). To enable Azure Confidential Computing on an existing VM, you will need to follow the steps outlined in the Azure documentation:

    1. Make sure that the VM meets the prerequisites for Azure Confidential Computing.
    2. Install the Azure Confidential Computing Extension on the VM.
    3. Use Azure PowerShell or Azure CLI to enable Azure Confidential Computing on the VM.

    Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/739983/how-to-encrypt-the-temp-disks-caches-and-data-flow,https://learn.microsoft.com/en-us/answers/questions/843946/has-anybody-enable-azure-encryption-at-host-what-i,https://learn.microsoft.com/en-us/answers/questions/1696674/issue-with-defender-recommendations-linux-virtual

    Please consider checking below steps to resolve the issue,

    • Double-check that Encryption at Host is indeed enabled on your VMs. You can do this through the Azure portal or using Azure CLI/PowerShell commands.
    • Sometimes, Defender for Cloud might need a manual trigger to re-scan and update its recommendations. You can initiate a new scan to see if the recommendation updates.
    • Ensure that all your Azure resources, including Defender for Cloud, are up-to-date. Sometimes, updates can resolve such discrepancies.
    • Note: Azure Disk Encryption and Encryption at Host are different features. Azure Disk Encryption uses the DM-Crypt feature of Linux to provide volume encryption, while Encryption at Host encrypts data at the host level before it is written to the disk. Encryption at Host can't be enabled on virtual machines (VMs) or virtual machine scale sets that currently or ever had Azure Disk Encryption enabled in past times. You will need to recreate the VM in order to enable Encryption at Host. Apologies for the inconvenience with this limitation.

    refer - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell

    Hope this information helps! please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.