Virtual Machine OS and data disks should be encrypted with Customer Managed Keys¶
Description¶
By default, Virtual Machine managed disks are encrypted with platform-managed keys. OS and data disks may contain sensitive data, and using customer-managed keys provides users with more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.
Remediation Steps¶
Azure Portal¶
Navigate to Virtual Machines.
Select the Virtual Machine.
From the left navigation, select Disks.
Select
X
to detach the disk from the Virtual Machine.Find the disk you detached in the previous step and select Encryption.
Change the encryption type, select your encryption set, and click Save.
Navigate back to the Virtual Machine and re-attach the disk.
PowerShell¶
To encrypt the Virtual Machine OS and data disks with Customer Managed Keys:
$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName
$KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl
-DiskEncryptionKeyVaultId $KeyVaultResourceId;