More Info:
Ensure that your Microsoft Azure virtual machine (VM) data volumes (i.e. non-boot volumes) are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The VM data volume encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, NISTCSF, PCIDSS, HIPAA, HITRUST, GDPRTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the Azure Disk Encryption misconfiguration for non-boot disk using the Azure console:
- Open the Azure portal and navigate to the virtual machine that you want to remediate.
- In the virtual machine’s menu, click on the “Disks” option.
- Identify the non-boot disk that needs to be encrypted and click on it.
- In the disk’s menu, click on the “Disk encryption” option.
- In the “Disk encryption” page, click on the “Enable” button to start the encryption process.
- In the “Encryption settings” page, select the encryption type and the key vault that you want to use for encryption.
- If you don’t have a key vault, you can create one by clicking on the “Create new” button and following the prompts.
- Once you have selected the encryption type and key vault, click on the “Review + Create” button to review the settings.
- In the “Review + Create” page, review the settings and click on the “Create” button to start the encryption process.
- The encryption process may take some time to complete depending on the size of the disk. Once the encryption process is complete, you will see a “Disk encryption is enabled” message in the disk’s menu.
Using CLI
Using CLI
Sure, here are the step-by-step instructions to remediate the Azure Disk Encryption misconfiguration for non-boot disks using Azure CLI:Note: The
-
Open the Azure CLI and login to your Azure account using the command
az login
. -
Once you are logged in, check if you have the necessary permissions to perform disk encryption using the command
az disk-encryption-set list
. -
Next, you need to create a new encryption set using the command
az disk-encryption-set create
. You will need to specify the name of the encryption set, the resource group, and the location. -
After creating the encryption set, you need to enable encryption for the non-boot disk using the command
az disk update
. You will need to specify the name of the disk, the resource group, and the ID of the encryption set. -
Finally, you can verify that the disk encryption is enabled using the command
az disk show
. This will display the disk details, including the encryption status.
encryption-type
parameter is set to “EncryptionAtRestWithPlatformKey” which means encryption will be done using the Azure platform key. You can also use “EncryptionAtRestWithCustomerKey” to use your own customer-managed key for encryption.I hope this helps! Let me know if you have any further questions.Using Python
Using Python
To remediate the Azure Disk Encryption misconfiguration for non-boot disk using Python, you can follow these steps:
- Install the Azure SDK for Python and import the required modules:
- Authenticate and create a client object for the Azure Compute and Storage Management APIs:
- Get the list of all the virtual machines in the subscription:
- For each virtual machine, check if it has any non-boot disks that are not encrypted:
- To encrypt the non-boot disk, update the disk resource with encryption settings:
- Save the script and run it to remediate the Azure Disk Encryption misconfiguration for non-boot disks.
<your tenant id>
, <your client id>
, <your client secret>
, <your subscription id>
, <your key vault id>
, <your secret url>
, <your key url>
, and <your key version>
with your actual values.