Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted in order to meet security and compliance requirements. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
When working with production data, it is strongly recommended to enable encryption in order to protect your VM's data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting your Azure virtual machine boot volumes, you have the assurance that your entire VM data is fully unrecoverable without a key and therefore provides protection from unwarranted reads.
To determine if encryption at rest is enabled for your Azure VM boot volumes, perform the following actions:
Remediation / Resolution
To enable encryption for your Microsoft Azure VM boot disk volumes, perform the following actions:Note 1: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.
Note 2: Enabling encryption for Azure VM boot disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.
- Azure Official Documentation
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Virtual Machine series
- Azure Disk Encryption for Linux VMs
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Encryption for Boot Disk Volumes
Risk level: High