Skip to content

Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK

Description

Azure encrypts data disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Encryption does not impact the performance of managed disks and there is no additional cost for the encryption.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Select the Management tab and verify that you have a Diagnostics Storage Account. If you have no storage accounts, select Create New, give your new account a name, then select OK.
  3. When the VM deployment is complete, select Go to resource.
  4. On the left-hand sidebar, select Disks. On the Disks screen, select Encryption.
  5. On the Create key vault screen, ensure that the Resource Group is the same as the one you used to create the VM.
  6. Name your key vault.
  7. On the Access Policies tab, check the Azure Disk Encryption for volume encryption.
  8. After the key vault has passed validation, select Create. Leave the Key field blank, then click Select.
  9. At the top of the Encryption screen, click Save. A popup will warn you that the VM will reboot. Click Yes.

CLI Command

Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter.

az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV

## You can verify that encryption is enabled on your VM with az vm show
az vm show --name MyVM -g MyResourceGroup

## You will see the following in the returned output:
"EncryptionOperation": "EnableEncryption"

Fix - Buildtime

Terraform

  • Resource: azurerm_managed_disk
  • Argument: encryption_settings - Is Encryption enabled on this Managed Disk? Changing this forces a new resource to be created.
    Add the encryption_settings block as show:

```text azurerm_managed_disk.example.tf resource "azurerm_managed_disk" "example" { name = var.disk_name location = var.location resource_group_name = var.resource_group_name storage_account_type = var.storage_account_type create_option = "Empty" disk_size_gb = var.disk_size_gb + encryption_settings { + enabled = true + } tags = var.common_tags }


## ARM Templates

- **Resource**: encryptionOperation
- **Argument**: EnableEncryption

```go
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string",
      "metadata": {
        "description": "Name of the virtual machine"
      }
    },
    "volumeType": {
      "type": "string",
      "defaultValue": "Data",
      "allowedValues": [
        "Data"
      ],
      "metadata": {
        "description": "Decryption is supported only on data drives for Linux VMs."
      }
    },
    "sequenceVersion": {
      "type": "string",
      "defaultValue": "1.0",
      "metadata": {
        "description": "Pass in an unique value like a GUID everytime the operation needs to be force run"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    }
  },
  "variables": {
    "extensionName": "AzureDiskEncryptionForLinux",
    "extensionVersion": "0.1",
+   "encryptionOperation": "EnableEncryption",

  ...