InformationEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.
Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.
Using CMK/BYOK will entail additional management of keys.
NOTE: You must have your key vault setup to utilize this.
SolutionFrom Azure Console
Note: Disks must be detached from VMs to have encryption changed.
Go to Virtual machines
For each virtual machine, go to Settings
Click on Disks
Click the X to detach the disk from the VM
Now search for Disks and locate the unattached disk
Click the disk then select Encryption
Change your encryption type, then select your encryption set
Go back to the VM and re-attach the disk
$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
NOTE: During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.
NOTE 2: This may differ for Linux Machines as you may need to set the -skipVmBackup parameter
By default, Azure disks are encrypted using SSE with PMK.