Virtual Machines unattached disks should be encrypted¶
Description¶
Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
Portal Remediation Steps¶
To encrypt unattached Linux VM data disks:
Follow the Azure documentation to attach the disk to the VM
Follow the Azure documentation to encrypt the VM, but select “Data disks” instead of “OS and data disks”
To encrypt unattached Windows VM data disks:
Follow the Azure documentation to attach the disk to the VM
Follow the Azure documentation to encrypt the VM. Data disks can only be encrypted if the OS disk is encrypted.
Azure CLI Remediation Steps¶
To encrypt unattached Linux VM data disks:
-
az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm
Enable encryption on the VM data disk:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
To encrypt unattached Windows VM data disks:
-
az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm
Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"