Ensure that your Microsoft Azure virtual machine (VM) data volumes (i.e. non-boot volumes) are encrypted in order to meet security and compliance requirements. The VM data volume encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
When your cloud applications work with sensitive data such as PII (Personally Identifiable Information), it is strongly recommended to enable encryption to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting your Azure virtual machine non-boot volumes, you have the guarantee that your entire VM data is fully unrecoverable without the protected key and therefore provides protection from unauthorized reads.
To determine if encryption at rest is enabled for all your Azure VM data volumes, perform the following actions:
Remediation / Resolution
To enable encryption for your Microsoft Azure VM data disk volumes, perform the following actions:Note 1: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss#supported-vm-sizesAzure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.
Note 2: Enabling encryption for Azure VM non-boot (data) volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.
- Azure Official Documentation
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Virtual Machine series
- Azure Disk Encryption for Linux VMs
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Encryption for Non-Boot Disk Volumes
Risk level: High