Data protection

Azure Disk is not double encrypted with both platform-managed and customer-managed keys

Platform(s)
Compliance Frameworks

Description

{AzureDisk} is not double encrypted with both platform-managed and customer-managed keys. By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys. Encrypting managed disks ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can now opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. This new layer can be applied to persisted OS and data disks, snapshots, and images, all of which will be encrypted at rest with double encryption.
  • Recommended Mitigation

    It is recommended to encrypt disks with both platform-managed and customer-managed keys.