Virtual Machines data disks (non-boot volumes) should be encrypted¶
Description¶
Encrypting the IaaS VM’s Data disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
Remediation Steps¶
Azure Portal¶
To encrypt Linux VM data disks:
Follow the Azure documentation, but select “Data disks” instead of “OS and data disks.”
To encrypt Windows VM data disks:
Follow the Azure documentation. Data disks can only be encrypted if the OS disk is encrypted.
Azure CLI¶
To encrypt Linux VM data disks:
Enable encryption on the VM data disk:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
To encrypt Windows VM data disks:
Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"
Azure Resource Manager¶
Ensure that a Microsoft.Compute/disks resource contains one of the following:
encryption.diskEncryptionSetId
:<valid disk encryption set id>
encryptionSettingsCollection.enabled
:true
Example Configuration¶
Using
encryption.diskEncryptionSetId
:
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2021-04-01",
"properties": {
"encryption": {
"diskEncryptionSetId": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'mydiskencryptionset')]"
}
}
# other required fields here
}
Using
encryptionSettingsCollection
:
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2021-04-01",
"properties": {
"encryptionSettingsCollection": {
"enabled": true
}
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_managed_disk contains at least one of the following:
encryption_settings.enabled
= truedisk_encryption_set_id
=<valid disk encryption set id>
The managed_disk.id must equal azurerm_virtual_machine.storage_data_disk.managed_disk_id or azurerm_virtual_machine_data_disk_attachment.managed_disk_id
Example Configuration¶
resource "azurerm_managed_disk" "example" {
encryption_settings {
enabled = true
}
# other required fields here
}
resource "azurerm_virtual_machine" "example" {
storage_data_disk {
managed_disk_id = azurerm_managed_disk.example.id
}
}