01 Sign in to your Cloud Conformity console, access Enable Encryption for App-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required disk volume encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support. Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier Azure resources, copied at step no. 1.
az keyvault create
--name cc-application-key-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
--enable-soft-delete true
--enable-purge-protection true
--enabled-for-disk-encryption true
--tags app_tier_tag=app_tier_tag_value
03 The command output should return the configuration metadata for the newly created Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
"location": "westeurope",
"name": "cc-application-key-vault",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"vaultUri": "https://cc-application-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {
"app_tier_tag": "app_tier_tag_value"
},
"type": "Microsoft.KeyVault/vaults"
}
04 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the app-tier virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) and the name of the new key vault as identifier parameters, to enable encryption at rest for the app-tier disk volumes attached to the selected virtual machine:
az vm encryption enable
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server"
--disk-encryption-keyvault cc-application-key-vault
--volume-type ALL
05 The command output should return a confirmation message, such as:
The encryption request was accepted. Please use 'show' command to monitor the progress.
06 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured app-tier virtual machine (VM) as identifier parameter to confirm the encryption status by listing the encryption configuration available for the app-tier disk volumes encrypted at the previous steps:
az vm encryption show
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server"
--query 'disks'
07 The command output should return the disk volumes encryption configuration information:
[
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://cc-application-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
"sourceVault": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-tier-vault"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "cc-app-public-server_OsDisk",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
},
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "https://cc-application-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
"sourceVault": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-tier-vault"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "cc-app-public-server_DataDisk1",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
}
]
08 Repeat steps no. 4 – 7 for each Azure app-tier virtual machine provisioned in the selected subscription.
09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.