Virtual Machines data disks (non-boot volumes) should be encrypted

Description

Encrypting the IaaS VM’s Data disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Remediation Steps

Azure Portal

To encrypt Linux VM data disks:

  • Follow the Azure documentation, but select “Data disks” instead of “OS and data disks.”

To encrypt Windows VM data disks:

  • Follow the Azure documentation. Data disks can only be encrypted if the OS disk is encrypted.

Azure CLI

To encrypt Linux VM data disks:

  • Enable encryption on the VM data disk:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt Windows VM data disks:

  • Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"

Terraform

Example Configuration

resource "azurerm_managed_disk" "example" {
  encryption_settings {
      enabled = true
  }
  # other required fields here
}

resource "azurerm_virtual_machine" "example" {
   storage_data_disk {
      managed_disk_id = azurerm_managed_disk.example.id
   }
}