Ensure that your Microsoft Azure virtual machine (VM) data volumes (i.e. non-boot volumes) are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The VM data volume encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux and the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. When your cloud applications work with sensitive data such as PII (Personally Identifiable Information), it is strongly recommended to enable encryption to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting your Azure virtual machine non-boot volumes, you have the guarantee that your entire VM data is fully unrecoverable without the protected key and therefore provides protection from unauthorized reads.
Audit
To determine if encryption at rest is enabled for all your Azure VM data volumes, perform the following actions:
Remediation / Resolution
To enable encryption for your Microsoft Azure VM data disk volumes, perform the following actions:
Note 1: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.Note 2: Enabling encryption for Azure VM non-boot (data) volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.
References
- Azure Official Documentation
- Azure Disk Encryption for Linux VMs
- Azure Disk Encryption for Windows VMs
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Virtual Machine series
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- Quickstart: Create and encrypt a Linux VM with the Azure CLI
- Quickstart: Create and encrypt a Windows VM with the Azure CLI
- az vm
- az vm list
- az vm encryption
- az vm encryption show
- az vm encryption enable
- az keyvault
- az keyvault create