'OS and Data' disks should be encrypted with Customer Managed Key (CMK)

azure.compute
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

To enhance data security, it is important to ensure that both OS disks (boot volumes) and data disks (non-boot volumes) of IaaS VMs are encrypted using Customer Managed Keys (CMK). CMKs can be achieved through either Azure Disk Encryption (ADE) or Server Side Encryption (SSE).

Encrypting the OS disk and data disks with CMK ensures that the entire content can only be accessed with the corresponding key, preventing unauthorized access. While Azure-managed disks enable encryption at rest by default using Platform Managed Keys (PMKs), using CMK provides customers with the ability to have more control over the encryption and decryption processes, allowing for key rotation and increased security.

Organizations should evaluate their security requirements for the data stored on the disks. For high-risk data, the use of CMK is strongly recommended, as it offers additional layers of security. However, for low-risk data, PMK, which is enabled by default, provides sufficient data security.

Remediation

From Azure Portal

Note: Disks must be detached from VMs to change encryption.

  1. Go to Virtual machines.
  2. For each virtual machine, go to Settings.
  3. Click on Disks.
  4. Click the ellipsis (…), then click Detach to detach the disk from the VM.
  5. Now search for Disks and locate the unattached disk.
  6. Click the disk then select Encryption.
  7. Change your encryption type, then select your encryption set.
  8. Click Save.
  9. Go back to the VM and re-attach the disk.