Virtual Machines unattached disks should be encrypted

Description

Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Portal Remediation Steps

To encrypt unattached Linux VM data disks:

• Follow the Azure documentation to attach the disk to the VM

• Follow the Azure documentation to encrypt the VM, but select “Data disks” instead of “OS and data disks”

To encrypt unattached Windows VM data disks:

• Follow the Azure documentation to attach the disk to the VM

• Follow the Azure documentation to encrypt the VM. Data disks can only be encrypted if the OS disk is encrypted.

Azure CLI Remediation Steps

To encrypt unattached Linux VM data disks:

• Attach the disk to the VM:

  • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

• Enable encryption on the VM data disk:

  • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt unattached Windows VM data disks:

• Attach the disk to the VM:

  • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

• Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

  • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"

Documentation Links

• Attach a data disk to a Linux VM (Portal)

• Attach a data disk to a Linux/Windows VM (CLI)

• Attach a data disk to a Windows VM (Portal)

• Encrypt the Linux virtual machine (Portal)

• Encrypt the Linux virtual machine (CLI)

• Encrypt the Windows virtual machine (Portal)

• Encrypt the Windows virtual machine (CLI)