Server Side Encryption for Boot Disk using CMK
More Info:
Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (OS and data disk volumes) use platform-managed encryption keys.Risk Level
HighAddress
SecurityCompliance Standards
ISO27001, HIPAA, CISAZURE, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of Server Side Encryption for Boot Disk using CMK in Azure, follow the below steps:
- Login to the Azure portal (https://portal.azure.com/)
- Navigate to the virtual machine which needs to be remediated.
- Click on “Disks” under the “Settings” section of the virtual machine.
- Select the boot disk that needs to be encrypted.
- In the “Encryption Settings” section, click on “Disk encryption set”.
- Click on “Create new” to create a new disk encryption set.
- Select the appropriate subscription, resource group and region.
- Provide a name for the disk encryption set and select the key vault which contains the Customer Managed Key (CMK).
- Click on “Create” to create the disk encryption set.
- Once the disk encryption set is created, select the disk encryption set from the “Encryption Settings” section of the boot disk.
- Click on “Save” to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of Server Side Encryption for Boot Disk using CMK in Azure, you can follow the below steps using Azure CLI:
-
Open Azure CLI and login to your Azure account using the command:
az login -
Once you are logged in, run the following command to identify the VM’s boot disk that needs to be encrypted:
az vm show -g <resource-group-name> -n <vm-name> --query storageProfile.osDisk.managedDisk.id -o tsv -
Once you have identified the boot disk, run the following command to enable encryption on the boot disk using a customer-managed key:
az disk encryption set --resource-group <resource-group-name> --name <disk-name> --key-url <key-url> --encryption-type <EncryptionType>Replace the following parameters in the command:<resource-group-name>: Name of the resource group where the VM is located.<disk-name>: Name of the disk that needs to be encrypted.<key-url>: URL of the customer-managed key that needs to be used for encryption.<EncryptionType>: Type of encryption to be used. In this case, it would be “EncryptionAtRestWithCustomerKey”.
-
Once the encryption is enabled, you can verify the status of the encryption using the following command:
az disk encryption show --resource-group <resource-group-name> --name <disk-name> --query encryptionSettingsCollection -o jsonThis command will return the encryption settings for the disk in JSON format.
Using Python
Using Python
To remediate Server Side Encryption for Boot Disk using CMK misconfiguration in Azure using Python, you can follow the below steps:Note: Make sure to replace the placeholders (your-subscription-id, your-resource-group, your-vm-name, your-disk-encryption-set-id, your-cmk-secret-url) with the actual values.These steps will remediate the Server Side Encryption for Boot Disk using CMK misconfiguration in Azure using Python.
- Import the necessary libraries:
- Set the credentials for authentication:
- Create an instance of the ComputeManagementClient:
- Get the virtual machine details:
- Get the OS disk details:
- Create a DiskEncryptionSetParameters object:
- Create an EncryptionSettings object:
- Create a DiskEncryptionSettings object:
- Create a KeyVaultSecretReference object:
- Update the OS disk with the new encryption settings: