Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux and the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. When working with production data, it is recommended to enable Azure Disk Encryption in order to protect your VM's disks from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting your Azure virtual machine boot volumes, you have the assurance that your entire VM data is fully unrecoverable without a key and therefore provides protection from unwarranted reads.
Audit
To determine if encryption at rest is enabled for your Azure VM boot volumes, perform the following actions:
Note: Azure Disk Encryption encrypts the disk volume itself. This is distinct from Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption), which encrypts the data stored on the disk.Remediation / Resolution
To enable encryption for your Microsoft Azure VM boot disk volumes, perform the following actions:
Note 1: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.Note 2: Enabling encryption for Azure VM boot disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.
References
- Azure Official Documentation
- Azure Disk Encryption for Linux VMs
- Azure Disk Encryption for Windows VMs
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Virtual Machine series
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- Quickstart: Create and encrypt a Linux VM with the Azure CLI
- Quickstart: Create and encrypt a Windows VM with the Azure CLI
- az vm
- az vm list
- az vm encryption
- az vm encryption show
- az vm encryption enable
- az keyvault
- az keyvault create