Virtual Machines unattached disks should be encrypted

Description

Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Azure Portal

To encrypt unattached Linux VM data disks:

• Follow the Azure documentation to attach the disk to the VM

• Follow the Azure documentation to encrypt the VM, but select “Data disks” instead of “OS and data disks”

To encrypt unattached Windows VM data disks:

• Follow the Azure documentation to attach the disk to the VM

• Follow the Azure documentation to encrypt the VM. Data disks can only be encrypted if the OS disk is encrypted.

Azure CLI

To encrypt unattached Linux VM data disks:

• Attach the disk to the VM:

  • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

• Enable encryption on the VM data disk:

  • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt unattached Windows VM data disks:

• Attach the disk to the VM:

  • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

• Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

  • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"

Azure Resource Manager

• Ensure that a Microsoft.SqlVirtualMachine/sqlVirtualMachines resource contains the following:

{
  "properties": {
  "enableEncryption": true
  }
}

Example Configuration

{
  "type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
  "apiVersion": "2017-03-01-preview",
  "properties": {
    "enableEncryption": true
    }
  # other required fields here
}

Terraform

• Ensure that an azurerm_managed_disk contains at least one of the following:

  • encryption_settings.enabled = true

  • disk_encryption_set_id = <valid disk encryption set id>

• The managed_disk.id must NOT equal azurerm_virtual_machine.storage_data_disk.managed_disk_id or azurerm_virtual_machine_data_disk_attachment.managed_disk_id

Example Configuration

resource "azurerm_managed_disk" "example" {
  encryption_settings {
      enabled = true
  }
  # other required fields here
}

Documentation Links

Runtime

• Portal: Attach a data disk to a Linux VM

• CLI: Attach a data disk to a Linux/Windows VM

• Portal: Attach a data disk to a Windows VM

• Portal: Encrypt the Linux virtual machine

• CLI: Encrypt the Linux virtual machine

• Portal: Encrypt the Windows virtual machine

• CLI: Encrypt the Windows virtual machine

Azure Resource Manager

• Microsoft.SqlVirtualMachine sqlVirtualMachines

Terraform

• Resource: azurerm_managed_disk

  • Field: enabled

  • Field: disk_encryption_set_id