Microsoft AzureOverview
NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.
VHD (Virtual Hard Disks) are stored in BLOB storage. They are the old-style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By default, storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK, and this should be turned on for storage accounts containing VHDs.
Rationale
With the changes that have been made that recommend using managed disks that are encrypted by default, we also need to have a recommendation that "legacy" disks that may, for several reasons, need to be left as VHDs should also be encrypted to protect the data content.
Impact
The size of the impact will depend on how the encryption is implemented; if provider-managed keys(PMK) are utilized, the impact is relatively low, but processes need to be put in place to rotate the keys regularly. If customer-managed keys(CMK) are utilized, a key management process needs to be implemented to store and manage key rotation, and thus, the impact is medium to high, depending on user maturity with key management.
Remediation guidance
From Azure Portal
- Navigate to the
storage accountthat you wish to encrypt - Select the
encryptionoption - Select the
key typethat you wish to use
If you wish to use an azure managed key (the default), you can save at this point and encryption will be applied to the account.
If you select customer managed key it will ask for the location of the key (The default is an Azure Keyvault) and the key name.
Once these arecaptured, save the configuration and the account will be encrypted using the provided key.
Using Azure Command Line Interface
Create the Keyvault
az keyvault create --name "myKV" --resource-group "myResourceGroup" --location eastus --enabled-for-disk-encryption
Encrypt the disk and store the key in keyvault
az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV
Using Azure Powershell
This process uses a keyvault to store the keys
Create the Keyvault
New-AzKeyvault -name MyKV -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
Encrypt the disk and store the key in keyvault
$KeyVault = Get-AzKeyVault -VaultName MyKV -ResourceGroupName MyResourceGroupSet-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName MyVM -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId
Default Value
The default value for encryption is "NO Encryption"
References
- CLI: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-cli-quickstart
- Powershell: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart
- https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure unmanaged disks
Connectors
Covered asset types
Expected check: eq []
{
disks(where: { diskAttachments: { NOT: { vhdURI: "" } } }) {
...AssetFragment
}
}
