Data protection

Vm uses managed disk which is not encrypted with CMK.

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

{AzureComputeVm} uses disks not encrypted with customer managed key (CMK). Encrypting the VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Encryption with customer managed key (CMK) is superior encryption although requires additional planning. Using customer managed keys may provide an additional level of security or meet an organization's regulatory requirements. By default, Azure disks are encrypted using SSE with PMK.

  • Recommended Mitigation

    It is recommended to encrypt disks with customer managed keys. In portal: 1. Go to Virtual machines 2. For each virtual machine, go to Settings 3. Click on Disks 4. For each disk that is not encrypted with CMK click the X to detach the disk from the VM. 5 Search for Disks and locate the unattached disk 6. Click the disk then select Encryption 7. Change your encryption type, then select your encryption set and save it 8. Go back to the VM and re-attach the disk

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.