Information
Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.
Rationale:
Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.
Impact:
Using CMK/BYOK will entail additional management of keys.
NOTE: You must have your key vault setup to utilize this.
Solution
From Azure Console
Note: Disks must be detached from VMs to have encryption changed.
Go to Virtual machines
For each virtual machine, go to Settings
Click on Disks
Click the X to detach the disk from the VM
Now search for Disks and locate the unattached disk
Click the disk then select Encryption
Change your encryption type, then select your encryption set
Click Save
Go back to the VM and re-attach the disk
Using PowerShell
$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
NOTE: During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.
NOTE 2: This may differ for Linux Machines as you may need to set the -skipVmBackup parameter
Default Value:
By default, Azure disks are encrypted using SSE with PMK.