vm repair bitlocker key

Azure · Jul 22, 2024 · e75ca68 · e75ca68
1 parent 852fdaf
commit e75ca68
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 11 deletions.
diff --git a/src/vm-repair/azext_vm_repair/_params.py b/src/vm-repair/azext_vm_repair/_params.py
@@ -29,6 +29,7 @@ def load_arguments(self, _):
         c.argument('copy_disk_name', help='Name of OS disk copy.')
         c.argument('repair_group_name', help='Name for new or existing resource group that will contain repair VM.')
         c.argument('unlock_encrypted_vm', help='Option to auto-unlock encrypted VMs using current subscription auth.')
+        c.argument('encrypted_vm_recovery_password', help='Option to auto-unlock encrypted VMs using current subscription auth.')
         c.argument('enable_nested', help='enable nested hyperv.')
         c.argument('associate_public_ip', help='Option to create repair vm with public ip')
         c.argument('distro', help='Option to create repair vm from a specific linux distro (rhel7|rhel8|suse12|ubuntu20|centos7|oracle7)')

diff --git a/src/vm-repair/azext_vm_repair/custom.py b/src/vm-repair/azext_vm_repair/custom.py
@@ -51,9 +51,9 @@
 logger = get_logger(__name__)
 
 
-def create(cmd, vm_name, resource_group_name, repair_password=None, repair_username=None, repair_vm_name=None, copy_disk_name=None, repair_group_name=None, unlock_encrypted_vm=False, enable_nested=False, associate_public_ip=False, distro='ubuntu', yes=False):
+def create(cmd, vm_name, resource_group_name, repair_password=None, repair_username=None, repair_vm_name=None, copy_disk_name=None, repair_group_name=None, unlock_encrypted_vm=False, encrypted_vm_recovery_password="", enable_nested=False, associate_public_ip=False, distro='ubuntu', yes=False):
 
-    # log all the parameters
+    # log all the parameters not logging the bitlocker key
     logger.debug('vm repair create command parameters: vm_name: %s, resource_group_name: %s, repair_password: %s, repair_username: %s, repair_vm_name: %s, copy_disk_name: %s, repair_group_name: %s, unlock_encrypted_vm: %s, enable_nested: %s, associate_public_ip: %s, distro: %s, yes: %s', vm_name, resource_group_name, repair_password, repair_username, repair_vm_name, copy_disk_name, repair_group_name, unlock_encrypted_vm, enable_nested, associate_public_ip, distro, yes)
 
     # Init command helper object
@@ -151,7 +151,7 @@ def create(cmd, vm_name, resource_group_name, repair_password=None, repair_usern
             if not is_linux and unlock_encrypted_vm:
                 # windows with encryption
                 _create_repair_vm(copy_disk_id, create_repair_vm_command, repair_password, repair_username)
-                _unlock_encrypted_vm_run(repair_vm_name, repair_group_name, is_linux)
+                _unlock_encrypted_vm_run(repair_vm_name, repair_group_name, is_linux, encrypted_vm_recovery_password)
 
             if is_linux and unlock_encrypted_vm:
                 # linux with encryption

diff --git a/src/vm-repair/azext_vm_repair/repair_utils.py b/src/vm-repair/azext_vm_repair/repair_utils.py
@@ -407,11 +407,11 @@ def _secret_tag_check(resource_group_name, copy_disk_name, secreturl):
         _call_az_command(set_tag_command)
 
 
-def _unlock_singlepass_encrypted_disk(repair_vm_name, repair_group_name, is_linux):
+def _unlock_singlepass_encrypted_disk(repair_vm_name, repair_group_name, is_linux, encrypted_vm_recovery_password):
     logger.info('Unlocking attached copied disk...')
     if is_linux:
         return _unlock_mount_linux_encrypted_disk(repair_vm_name, repair_group_name)
-    return _unlock_mount_windows_encrypted_disk(repair_vm_name, repair_group_name)
+    return _unlock_mount_windows_encrypted_disk(repair_vm_name, repair_group_name, encrypted_vm_recovery_password)
 
 
 def _unlock_singlepass_encrypted_disk_fallback(source_vm, resource_group_name, repair_vm_name, repair_group_name, copy_disk_name, is_linux):
@@ -462,10 +462,13 @@ def _unlock_mount_linux_encrypted_disk(repair_vm_name, repair_group_name):
     return _invoke_run_command(LINUX_RUN_SCRIPT_NAME, repair_vm_name, repair_group_name, True)
 
 
-def _unlock_mount_windows_encrypted_disk(repair_vm_name, repair_group_name):
+def _unlock_mount_windows_encrypted_disk(repair_vm_name, repair_group_name, encrypted_vm_recovery_password):
     # Unlocks the disk using the phasephrase and mounts it on the repair VM.
     WINDOWS_RUN_SCRIPT_NAME = 'win-mount-encrypted-disk.ps1'
-    return _invoke_run_command(WINDOWS_RUN_SCRIPT_NAME, repair_vm_name, repair_group_name, False)
+    BITLOCKER_RECOVERY_PARAMS = None
+    if encrypted_vm_recovery_password is None:
+        BITLOCKER_RECOVERY_PARAMS = ['-bitlockerkey', encrypted_vm_recovery_password]
+    return _invoke_run_command(WINDOWS_RUN_SCRIPT_NAME, repair_vm_name, repair_group_name, False, parameters=BITLOCKER_RECOVERY_PARAMS)
 
 
 def _fetch_compatible_windows_os_urn(source_vm):
@@ -694,8 +697,8 @@ def _get_function_param_dict(frame):
     return values
 
 
-def _unlock_encrypted_vm_run(repair_vm_name, repair_group_name, is_linux):
-    stdout, stderr = _unlock_singlepass_encrypted_disk(repair_vm_name, repair_group_name, is_linux)
+def _unlock_encrypted_vm_run(repair_vm_name, repair_group_name, is_linux, encrypted_vm_recovery_password):
+    stdout, stderr = _unlock_singlepass_encrypted_disk(repair_vm_name, repair_group_name, is_linux, encrypted_vm_recovery_password)
     logger.debug('Unlock script STDOUT:\n%s', stdout)
     if stderr:
         logger.warning('Encryption unlock script error was generated:\n%s', stderr)

diff --git a/src/vm-repair/azext_vm_repair/scripts/win-mount-encrypted-disk.ps1 b/src/vm-repair/azext_vm_repair/scripts/win-mount-encrypted-disk.ps1
@@ -1,3 +1,6 @@
+param (
+    [string]$bitlockerkey=$null
+)
 Write-Output "Finding volume with 'Bek Volume' file system label"
 $bekVolume = Get-Volume | Where-Object {$_.FileSystemLabel -eq 'Bek Volume'}
 if ($bekVolume)
@@ -29,7 +32,8 @@ if ($bekFile)
     $bekFilePath = $bekFile.FullName
     Write-Output "Found $bekFilePath"
 }
-else {
+if ($bitlockerkey)
+{
     Write-Output "No *.BEK file found on drive $($bekPartition.DriveLetter)"
     Exit 1
 }
@@ -42,7 +46,15 @@ if ($encryptedVolume)
     $driveLetter = $encryptedVolume.MountPoint
     Write-Output "Found encrypted volume with drive letter $driveLetter"
     Write-Output "Unlocking encrypted drive $driveLetter"
-    $result = Unlock-BitLocker -MountPoint $driveLetter -RecoveryKeyPath $bekFilePath
+    if ($bitlockerkey)
+    {
+        $result = Unlock-BitLocker -MountPoint $driveLetter -RecoveryKey $bitlockerkey
+    }
+    else
+    {
+        $result = Unlock-BitLocker -MountPoint $driveLetter -RecoveryKeyPath $bekFilePath
+    }
+    ##$result = Unlock-BitLocker -MountPoint $driveLetter -RecoveryKeyPath $bekFilePath
     if ($result)
     {
         if ($result.LockStatus -eq 'Unlocked')