Virtual Machines data disks (non-boot volumes) should be encrypted

Description

Encrypting the IaaS VM’s Data disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Portal Remediation Steps

To encrypt Linux VM data disks:

  • Follow the Azure documentation, but select “Data disks” instead of “OS and data disks.”

To encrypt Windows VM data disks:

  • Follow the Azure documentation. Data disks can only be encrypted if the OS disk is encrypted.

Azure CLI Remediation Steps

To encrypt Linux VM data disks:

  • Enable encryption on the VM data disk:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt Windows VM data disks:

  • Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"