Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys¶
Description¶
Virtual Machine managed disks that are not attached to any VMs may still contain sensitive information, and users should use customer-managed keys for more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.
Remediation Steps¶
Azure Portal¶
Navigate to Disks.
From the Add filter drop-down, select Disk State.
From the Value drop-down, select Unattached and click Apply.
Select the unattached Disk.
In the left navigation under Settings select Encryption.
From the Encryption type drop-down, select Encryption at-rest with a customer-managed key.
From the Disk encryption set drop-down, select an existing disk encryption set.
Click Save.
Azure CLI¶
To encrypt Virtual Machine unattached managed disks with Customer Managed Keys:
Get the list of Virtual Machine unattached disks:
az disk list --subscription "YourSubscription"
Encrypt the unattached Virtual Machine managed disks:
az disk update --disk-encryption-set "NameofDiskEncryption" --encryption-type "EncryptionAtRestWithCustomerKey" --subscription "YourSubscription"