Logo of Trend Micro

Enable Encryption for Boot Disk Volumes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VirtualMachines-001

Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted in order to meet security and compliance requirements. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When working with production data, it is strongly recommended to enable encryption in order to protect your VM's data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting your Azure virtual machine boot volumes, you have the assurance that your entire VM data is fully unrecoverable without a key and therefore provides protection from unwarranted reads.

Audit

To determine if encryption at rest is enabled for your Azure VM boot volumes, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the virtual machines (VMs) provisioned in the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected Azure VM.

07 On the Disks overview page, under OS disk, check the boot disk volume encryption status, available in the ENCRYPTION column. If the encryption status is set to Not enabled, the boot volume attached to the selected Microsoft Azure virtual machine (VM) is not encrypted.

08 Repeat steps no. 4 – 7 for each Azure virtual machine available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned within the current Azure subscription: 

az vm list
	--query '[*].id'

02 The command output should return the requested VM server identifiers (IDs): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-development-server"
]

03 Run vm encryption show command (Windows/macOS/Linux) using the ID of the virtual machine that you want to examine as identifier parameter to obtain the encryption status set for the boot (OS) disk volume attached to the selected Azure VM: 

az vm encryption show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
	--query 'osDisk'

04 The command output should return the requested VM boot volume encryption status: 

Azure Disk Encryption is not enabled

If the vm encryption show command output returns the following message: Azure Disk Encryption is not enabled, the boot disk volume attached to the selected Microsoft Azure virtual machine (VM) is not currently encrypted.

05 Repeat step no. 3 and 4 for every Azure virtual machine provisioned in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption for your Microsoft Azure VM boot disk volumes, perform the following actions:

Note 1: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.

Note 2: Enabling encryption for Azure VM boot disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the generated disk encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support: 

az keyvault create
	--name cc-disk-encryption-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enable-soft-delete true
	--enable-purge-protection true
	--enabled-for-disk-encryption true

02 The command output should return the configuration metadata for the newly created Azure Key Vault: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-disk-encryption-vault",
  "location": "westeurope",
  "name": "cc-disk-encryption-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-disk-encryption-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to reconfigure as identifier parameter (see Audit section part II to identify the right VM) to enable encryption at rest for the boot disk volume attached to the selected Azure virtual machine (VM): 

az vm encryption enable
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
	--disk-encryption-keyvault cc-disk-encryption-vault
	--volume-type OS

04 The command output should return a confirmation message, such as: 

The encryption request was accepted. Please use 'show' command to monitor the progress.

05 Run again vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured virtual machine (VM) as identifier parameter to confirm the encryption process completion, by listing the encryption configuration available for the boot disk volume encrypted at the previous steps: 

az vm encryption show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"

06 The command output should return the disk volume encryption configuration information: 

{
  "disks": [
    {
      "encryptionSettings": [
        {
          "diskEncryptionKey": {
            "sourceVault": {
              "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.KeyVault/vaults/cc-disk-encryption-vault"
            }
          },
          "enabled": true,
          "keyEncryptionKey": null
        }
      ],
      "name": "cc-project5-main-server_disk1_abcdabcd1234abcd1234abcd1234abcd",
      "statuses": [
        {
          "code": "EncryptionState/encrypted",
          "displayStatus": "Encryption is enabled on disk",
          "level": "Info",
          "message": null,
          "time": null
        }
      ]
    }
  ],
  "status": [
    {
      "code": "ProvisioningState/succeeded",
      "displayStatus": "Provisioning succeeded",
      "level": "Info",
      "message": "OS disk encryption started",
      "time": null
    }
  ],
  "substatus": [
    {
      "code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/succeeded",
      "displayStatus": "Provisioning succeeded",
      "level": "Info",
      "message": "{\"os\": \"EncryptionInProgress\", \"data\": \"NotMounted\"}",
      "time": null
    }
  ]
}

07 Repeat steps no. 3 – 6 for every Azure virtual machine (VM) available in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 2, 2020

Related VirtualMachines rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Encryption for Boot Disk Volumes

Risk level: High