More Info:

Ensure that your Microsoft Azure virtual machine (VM) data volumes (i.e. non-boot volumes) are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The VM data volume encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NISTCSF, PCIDSS, HIPAA, HITRUST, GDPR

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the Azure Disk Encryption misconfiguration for non-boot disk using the Azure console:
  1. Open the Azure portal and navigate to the virtual machine that you want to remediate.
  2. In the virtual machine’s menu, click on the “Disks” option.
  3. Identify the non-boot disk that needs to be encrypted and click on it.
  4. In the disk’s menu, click on the “Disk encryption” option.
  5. In the “Disk encryption” page, click on the “Enable” button to start the encryption process.
  6. In the “Encryption settings” page, select the encryption type and the key vault that you want to use for encryption.
  7. If you don’t have a key vault, you can create one by clicking on the “Create new” button and following the prompts.
  8. Once you have selected the encryption type and key vault, click on the “Review + Create” button to review the settings.
  9. In the “Review + Create” page, review the settings and click on the “Create” button to start the encryption process.
  10. The encryption process may take some time to complete depending on the size of the disk. Once the encryption process is complete, you will see a “Disk encryption is enabled” message in the disk’s menu.
That’s it! You have successfully remediated the Azure Disk Encryption misconfiguration for the non-boot disk using the Azure console.

Sure, here are the step-by-step instructions to remediate the Azure Disk Encryption misconfiguration for non-boot disks using Azure CLI:
  1. Open the Azure CLI and login to your Azure account using the command az login.
  2. Once you are logged in, check if you have the necessary permissions to perform disk encryption using the command az disk-encryption-set list.
  3. Next, you need to create a new encryption set using the command az disk-encryption-set create. You will need to specify the name of the encryption set, the resource group, and the location.
  4. After creating the encryption set, you need to enable encryption for the non-boot disk using the command az disk update. You will need to specify the name of the disk, the resource group, and the ID of the encryption set.
  5. Finally, you can verify that the disk encryption is enabled using the command az disk show. This will display the disk details, including the encryption status.
Here is an example command to enable encryption for a non-boot disk:
az disk update --name <disk-name> --resource-group <resource-group-name> --encryption-type "EncryptionAtRestWithPlatformKey" --disk-encryption-set <encryption-set-id>
Note: The encryption-type parameter is set to “EncryptionAtRestWithPlatformKey” which means encryption will be done using the Azure platform key. You can also use “EncryptionAtRestWithCustomerKey” to use your own customer-managed key for encryption.I hope this helps! Let me know if you have any further questions.
To remediate the Azure Disk Encryption misconfiguration for non-boot disk using Python, you can follow these steps:
  1. Install the Azure SDK for Python and import the required modules:
pip install azure
pip install azure-mgmt-compute
pip install azure-mgmt-storage
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.storage import StorageManagementClient
  1. Authenticate and create a client object for the Azure Compute and Storage Management APIs:
TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'
SUBSCRIPTION_ID = '<your subscription id>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)

compute_client = ComputeManagementClient(credentials, SUBSCRIPTION_ID)
storage_client = StorageManagementClient(credentials, SUBSCRIPTION_ID)
  1. Get the list of all the virtual machines in the subscription:
vm_list = compute_client.virtual_machines.list_all()
  1. For each virtual machine, check if it has any non-boot disks that are not encrypted:
for vm in vm_list:
    for disk in vm.storage_profile.data_disks:
        disk_id = disk.managed_disk.id
        disk_resource_group = disk_id.split('/')[4]
        disk_name = disk_id.split('/')[-1]
        disk_info = storage_client.disks.get(disk_resource_group, disk_name)
        
        if not disk_info.encryption:
            # Encrypt the disk
  1. To encrypt the non-boot disk, update the disk resource with encryption settings:
encryption_settings = {
    'disk_encryption_key': {
        'source_vault': {
            'id': '<your key vault id>'
        },
        'secret_url': '<your secret url>'
    },
    'key_encryption_key': {
        'source_vault': {
            'id': '<your key vault id>'
        },
        'key_url': '<your key url>',
        'key_version': '<your key version>'
    }
}

disk_info.encryption = encryption_settings
storage_client.disks.create_or_update(disk_resource_group, disk_name, disk_info)
  1. Save the script and run it to remediate the Azure Disk Encryption misconfiguration for non-boot disks.
Note: Replace the placeholders <your tenant id>, <your client id>, <your client secret>, <your subscription id>, <your key vault id>, <your secret url>, <your key url>, and <your key version> with your actual values.