Virtual Machines unattached disks should be encrypted

Description

Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.

Azure Portal

To encrypt unattached Linux VM data disks:

To encrypt unattached Windows VM data disks:

Azure CLI

To encrypt unattached Linux VM data disks:

  • Attach the disk to the VM:

    • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

  • Enable encryption on the VM data disk:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"

To encrypt unattached Windows VM data disks:

  • Attach the disk to the VM:

    • az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm

  • Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:

    • az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"

Terraform

Example Configuration

resource "azurerm_managed_disk" "example" {
  encryption_settings {
      enabled = true
  }
  # other required fields here
}