Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys


Virtual Machine managed disks that are not attached to any VMs may still contain sensitive information, and users should use customer-managed keys for more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.

Remediation Steps

Azure Portal

  • Navigate to Disks.

  • From the Add filter drop-down, select Disk State.

    • From the Value drop-down, select Unattached and click Apply.

  • Select the unattached Disk.

  • In the left navigation under Settings select Encryption.

  • From the Encryption type drop-down, select Encryption at-rest with a customer-managed key.

  • From the Disk encryption set drop-down, select an existing disk encryption set.

  • Click Save.

Azure CLI

az disk list --subscription "YourSubscription"
az disk update --disk-encryption-set "NameofDiskEncryption" --encryption-type "EncryptionAtRestWithCustomerKey" --subscription "YourSubscription"