Virtual Machine OS and data disks should be encrypted with Customer Managed Keys¶
By default, Virtual Machine managed disks are encrypted with platform-managed keys. OS and data disks may contain sensitive data, and using customer-managed keys provides users with more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.
Navigate to Virtual Machines.
Select the Virtual Machine.
From the left navigation, select Disks.
Xto detach the disk from the Virtual Machine.
Find the disk you detached in the previous step and select Encryption.
Change the encryption type, select your encryption set, and click Save.
Navigate back to the Virtual Machine and re-attach the disk.
To encrypt the Virtual Machine OS and data disks with Customer Managed Keys:
$KVRGname = 'MyKeyVaultResourceGroup'; $VMRGName = 'MyVirtualMachineResourceGroup'; $vmName = 'MySecureVM'; $KeyVaultName = 'MySecureVault'; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
Azure Disk Encryption for virtual machines and virtual machine scale sets
Azure PowerShell - Enable customer-managed keys with server-side encryption - managed disks