Data protection

Vm uses managed disk which is not encrypted with CMK.

Risk Level

Informational (4)



{AzureComputeVm} uses disks not encrypted with customer managed key (CMK). Encrypting the VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Encryption with customer managed key (CMK) is superior encryption although requires additional planning. Using customer managed keys may provide an additional level of security or meet an organization's regulatory requirements. By default, Azure disks are encrypted using SSE with PMK.
  • Recommended Mitigation

    It is recommended to encrypt disks with customer managed keys. In portal: 1. Go to Virtual machines 2. For each virtual machine, go to Settings 3. Click on Disks 4. For each disk that is not encrypted with CMK click the X to detach the disk from the VM. 5 Search for Disks and locate the unattached disk 6. Click the disk then select Encryption 7. Change your encryption type, then select your encryption set and save it 8. Go back to the VM and re-attach the disk