Virtual Machine legacy virtual hard disks should be encrypted

Description

Legacy virtual hard disks (VHDs) are stored in Azure blob storage, which is encrypted by default. Encryption should be enabled for virtual machines running VHDs in order to protect the data from unwarranted reads.

Remediation Steps

Note

If you have a VM with both OS and data disks but you specify one or the other and not “OS and data disks,” the rule still passes validation even though one of those types of disks isn’t encrypted. Make sure when you enable encryption on VMs for VHDs you select “OS and data disks.”

Azure Portal

  • Navigate to Key Vaults.

  • Select the key vault containing the key you want to encrypt the VM with, and in the left navigation, select Access policies.

  • Under Enable Access to, check the box next to the following settings to enable them:

    • Azure Virtual Machines for deployment

    • Azure Resource Manager for template deployment

    • Azure Disk Encryption for volume encryption

  • Click Save.

  • Navigate to Virtual Machines.

  • Select the VM and in the left navigation, select Disks.

  • Select Encryption.

    • If your Disks page has an Additional Settings option instead of Encryption, your VM is not running a VHD and this rule does not apply.

  • Under Disks to encrypt, select OS and data disks.

  • Under Encryption settings, click Select a key vault and key for encryption.

  • Select the key vault, key, and version from the drop-down menus and click Select.

  • Click Save. This will cause your VM to reboot.

Azure CLI

  • To ensure the key vault that will be used to encrypt the VM has the --enabled-for-deployment, --enabled-for-disk-encryption, and --enabled-for-template-deployment properties enabled:

    • az keyvault update --enabled-for-deployment true --enabled-for-disk-encryption true --enabled-for-template-deployment true --name MyKeyVault --resource-group MyResourceGroup

  • To encrypt the VM:

    • az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault MyKeyVault