Virtual Machines unattached disks should be encrypted

Description

Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Portal Remediation Steps

To encrypt unattached Linux VM data disks:

To encrypt unattached Windows VM data disks:

Azure CLI Remediation Steps

To encrypt unattached Linux VM data disks:

  • Attach the disk to the VM:

    • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

  • Enable encryption on the VM data disk:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt unattached Windows VM data disks:

  • Attach the disk to the VM:

    • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

  • Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"