1

When I try to enabled Azure Disk Encryption on an Azure Windows Server 2022 VM I get the following error: *Failed to enable Azure Disk Encryption on the VM with the following exception details:Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: The fault reason was: ' 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() * I have enabled Access Policies on the KeyVault. I'm following the instructions here: https://www.starwindsoftware.com/blog/encrypt-your-azure-vm-with-azure-disk-encryption

The KeyVault is in the same tenant as the VM. I have JIT enabled on the VM. Not sure if that's an issue.

Any ideas?

ozo
  • 21
  • 4

2 Answers2

0

I tried to reproduce the same in my environment I got the same error like below:

Failed to enable Azure Disk Encryption on the VM with the followingexceptiondetails:Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException:> The fault reason was: ' 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED Key vault secret wrap with key encryption key failed.at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost()

enter image description here

Note : Windows Server 2022 and Windows 11 do not support an RSA 2048 bit key Check this.

When I created Azure Windows Server 2019 VM Azure Disk Encryption is deployed successfully like below:

enter image description here

When I try to check in server BitLocker drive encryption Bitlocker is enabled in the Azure VM and the disk is encrypting successfully like below:

enter image description here

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Hi Imran, that's great you picked up on the RSA Key Size issue. Do you think if I created the key with 4096 then it will work? – ozo Jan 13 '23 at 08:43
  • Yes, I have created the key with 4096 it's [worked](https://i.imgur.com/8oGf1KM.png). – Imran Jan 13 '23 at 08:54
  • Just re-created the key as 4096 and Azure Data Encryption worked immediately. Thank you Imran. – ozo Jan 15 '23 at 01:51
0

This is a kind of emerging issue as KEK encryption is not currently supported on Windows Server 2022.

Please try the possible 2 workarounds:

  1. Use BEK for the encryption

  2. Change the length of the RSA key from 2048 to the higher values

user16217248
  • 3,119
  • 19
  • 19
  • 37
Tanisha Rakshit
  • 1