Virtual Machine legacy virtual hard disks should be encrypted¶
Legacy virtual hard disks (VHDs) are stored in Azure blob storage, which is encrypted by default. Encryption should be enabled for virtual machines running VHDs in order to protect the data from unwarranted reads.
If you have a VM with both OS and data disks but you specify one or the other and not “OS and data disks,” the rule still passes validation even though one of those types of disks isn’t encrypted. Make sure when you enable encryption on VMs for VHDs you select “OS and data disks.”
Navigate to Key Vaults.
Select the key vault containing the key you want to encrypt the VM with, and in the left navigation, select Access policies.
Under Enable Access to, check the box next to the following settings to enable them:
Azure Virtual Machines for deployment
Azure Resource Manager for template deployment
Azure Disk Encryption for volume encryption
Navigate to Virtual Machines.
Select the VM and in the left navigation, select Disks.
If your Disks page has an Additional Settings option instead of Encryption, your VM is not running a VHD and this rule does not apply.
Under Disks to encrypt, select OS and data disks.
Under Encryption settings, click Select a key vault and key for encryption.
Select the key vault, key, and version from the drop-down menus and click Select.
Click Save. This will cause your VM to reboot.
To ensure the key vault that will be used to encrypt the VM has the
az keyvault update --enabled-for-deployment true --enabled-for-disk-encryption true --enabled-for-template-deployment true --name MyKeyVault --resource-group MyResourceGroup
To encrypt the VM:
az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault MyKeyVault