Unattached disks should be encrypted with a customer managed key


Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0


Ensure that unattached disks in a subscription are encrypted with a customer managed key (CMK).


Managed disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization’s regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.


Encryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.


From the console

Note: Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the Disk enable customer managed keys customer or the Encryption settings documentation.

  1. Go to Virtual machines
  2. For each virtual machine, go to Settings
  3. Click on Disks
  4. Click the X to detach the disk from the VM
  5. Now search for Disks and locate the unattached disk
  6. Click the disk then select Encryption
  7. Change your encryption type, then select your encryption set
  8. Click Save
  9. Go back to the VM and re-attach the disk

From the commandline

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;


  1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
  2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json
  3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
  4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
  5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
  6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update
  7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest