Troubleshooting Azure Disk Encryption Error: RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED

by

When enabling Azure Disk Encryption for your Virtual Machine (VM), you may encounter the following error:

JSON'code': 'VMExtensionProvisioningError',
'message': 'VM has reported a failure when processing extension 'AzureDiskEncryption' (publisher 'Microsoft.Azure.Security' and type 'AzureDiskEncryption'). Error message: '[2.5.0.3] Failed to enable Azure Disk Encryption on the VM with the following exception details:\n Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: '0xc142506f  RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED  Key vault secret wrap with key encryption key failed.'.\r\n   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:\\__w\\1\\s\\src\\BitLocker\\BitlockerIaasVMExtension\\WireProtocol\\WireProtocolMessage.cs:line 210\r\n   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:\\__w\\1\\s\\src\\BitLocker\\BitlockerIaasVMExtension\\BitlockerExtension.cs:line 1092'. More information on troubleshooting is available at https://aka.ms/VMExtensionADEWindowsTroubleshoot.'

Error Analysis

The error message indicates that the issue stems from the exception RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED. This means the Key Vault failed during the operation to wrap the encryption key using the Key Encryption Key (KEK).

It is important to note that the VM operating system being used is Windows 11 Pro, which has known compatibility issues with Azure Disk Encryption due to the lack of support for RSA 2048-bit keys.

Common Causes

  1. RSA Key Length: Windows 11 and Windows Server 2022 do not support RSA 2048-bit keys for Azure Disk Encryption.
  2. Missing Dependencies: Certain Windows Server configurations require additional components, such as bdehdcfg or .NET Framework.

Official Documentation

Microsoft has acknowledged this limitation in the article Enable Azure Disk Encryption for Windows VMs and provides a FAQ section that recommends using higher RSA key lengths for certain OS versions.

Recommended Solutions

To resolve the error and successfully enable Azure Disk Encryption, follow one of the two approaches detailed below:

Solution 1: Use BitLocker Encryption Key (BEK)

Azure Disk Encryption supports encryption using the BitLocker Encryption Key (BEK). Using BEK instead of a Key Encryption Key (KEK) can bypass the wrapping issue in Key Vault.

  1. Modify Encryption Settings:
    • Open Azure Portal.
    • Navigate to your VM and select Disks.
    • Configure disk encryption using BEK instead of KEK.
  2. Test Encryption:
    • Restart the VM after enabling disk encryption.
    • Verify that encryption has been successfully applied without errors.

Solution 2: Increase RSA Key Length

Windows 11 and Windows Server 2022 require an RSA key length greater than 2048 bits. Update your Key Vault keys to RSA 3072 or RSA 4096 to resolve this issue.

  1. Create a New RSA Key:
    • Go to Azure Key Vault in the Azure Portal.
    • Select Keys and click Generate/Import.
    • Choose RSA-HSM with a key size of 3072 or 4096 bits.
  2. Update Disk Encryption Settings:
    • Use the new RSA key in your encryption configuration.
    • Restart the VM to apply changes.
  3. Verify Encryption:
    • Check the provisioning state to ensure the disk encryption extension succeeds.

Key Considerations

For other Windows Server versions, ensure the following dependencies are installed:

Operating SystemRequirement
Windows Server 2012 R2 CoreInstall the bdehdcfg component.
Windows Server 2016 CoreInstall the bdehdcfg component.
Windows Server 2008 R2Install .NET Framework 4.5 via Windows Update (KB2901983).

Refer to the documentation for Azure Disk Encryption prerequisites.

Example Code Snippet

Below is an Azure CLI example to update the RSA key length for Key Vault:

BASH# Create a new RSA key with 4096 bits in Azure Key Vault
az keyvault key create \
  --vault-name <YourKeyVaultName> \
  --name <YourKeyName> \
  --kty RSA \
  --size 4096

Ensure you replace <YourKeyVaultName> and <YourKeyName> with the actual names of your Key Vault and key.

References

For further troubleshooting and guidance, explore the following resources:

Leave a Comment