Virtual Machine OS and data disks should be encrypted with Customer Managed Keys


By default, Virtual Machine managed disks are encrypted with platform-managed keys. OS and data disks may contain sensitive data, and using customer-managed keys provides users with more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.

Remediation Steps

Azure Portal

  • Navigate to Virtual Machines.

  • Select the Virtual Machine.

  • From the left navigation, select Disks.

  • Select X to detach the disk from the Virtual Machine.

  • Find the disk you detached in the previous step and select Encryption.

  • Change the encryption type, select your encryption set, and click Save.

  • Navigate back to the Virtual Machine and re-attach the disk.


  • To encrypt the Virtual Machine OS and data disks with Customer Managed Keys:

$KVRGname = 'MyKeyVaultResourceGroup';
  $VMRGName = 'MyVirtualMachineResourceGroup';
  $vmName = 'MySecureVM';
  $KeyVaultName = 'MySecureVault';
  $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName
  $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
  $KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl
-DiskEncryptionKeyVaultId $KeyVaultResourceId;