7.2 Ensure that 'OS and Data' disks are encrypted with CMK


Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.


Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.


Using CMK/BYOK will entail additional management of keys.

NOTE: You must have your key vault setup to utilize this.


From Azure Console
Note: Disks must be detached from VMs to have encryption changed.

Go to Virtual machines

For each virtual machine, go to Settings

Click on Disks

Click the X to detach the disk from the VM

Now search for Disks and locate the unattached disk

Click the disk then select Encryption

Change your encryption type, then select your encryption set

Click Save

Go back to the VM and re-attach the disk

Using PowerShell

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;

Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

NOTE: During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.
NOTE 2: This may differ for Linux Machines as you may need to set the -skipVmBackup parameter

Default Value:

By default, Azure disks are encrypted using SSE with PMK.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|14.8

Plugin: microsoft_azure

Control ID: 5c6608e0a8ede6cc1b3c9ccdf3ec64fb83e31ec218265f2c4da1512d9dd452ef