Control: 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Description

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. By encrypting it ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning. You must have your key vault setup to encrypt.

Remediation

From Console

Disks must be detached from VMs to have encryption changed.

1. Go to Virtual machines.
2. For each virtual machine, go to Settings.
3. Click on Disks.
4. Click the X to detach the disk from the VM.
5. Now search for Disks and locate the unattached disk.
6. Click the disk then select Encryption
7. Change your encryption type, then select your encryption set
8. Click Save.
9. Go back to the VM and re-attach the disk.

From PowerShell

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName
$KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl - DiskEncryptionKeyVaultId $KeyVaultResourceId;

Note

• During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.
• This may differ for Linux Machines as you may need to set the -skipVmBackup parameter.
• By default, Azure disks are encrypted using SSE with PMK.