Virtual Machines unattached disks should be encrypted¶
Description¶
Encrypting the IaaS VM’s disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
Azure Portal¶
To encrypt unattached Linux VM data disks:
Follow the Azure documentation to attach the disk to the VM
Follow the Azure documentation to encrypt the VM, but select “Data disks” instead of “OS and data disks”
To encrypt unattached Windows VM data disks:
Follow the Azure documentation to attach the disk to the VM
Follow the Azure documentation to encrypt the VM. Data disks can only be encrypted if the OS disk is encrypted.
Azure CLI¶
To encrypt unattached Linux VM data disks:
-
az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm
Enable encryption on the VM data disk:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "Data"
To encrypt unattached Windows VM data disks:
-
az vm disk attach --disk $diskId --new --resource-group MyResourceGroup --size-gb 128 --sku Standard_LRS --vm-name MyVm
Data disks can only be encrypted if the OS disk is encrypted. Enable encryption on the VM:
az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "All"
Azure Resource Manager¶
Ensure that a Microsoft.SqlVirtualMachine/sqlVirtualMachines resource contains the following:
{
"properties": {
"enableEncryption": true
}
}
Example Configuration¶
{
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2017-03-01-preview",
"properties": {
"enableEncryption": true
}
# other required fields here
}
Terraform¶
Ensure that an azurerm_managed_disk contains at least one of the following:
encryption_settings.enabled
= truedisk_encryption_set_id
=<valid disk encryption set id>
The managed_disk.id must NOT equal azurerm_virtual_machine.storage_data_disk.managed_disk_id or azurerm_virtual_machine_data_disk_attachment.managed_disk_id
Example Configuration¶
resource "azurerm_managed_disk" "example" {
encryption_settings {
enabled = true
}
# other required fields here
}