Logo of Trend Micro

Enable Encryption for Unattached Disk Volumes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VirtualMachines-003

Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted in order to meet security and compliance requirements. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

By encrypting disk volumes detached from your Microsoft Azure virtual machines, you have the assurance that your data is unrecoverable without an encryption key and thus provides protection from unwarranted reads. Even if the disk volumes are not attached to any of the VMs provisioned within your Azure cloud account, there is always a risk where a compromised user account with administrative privileges can mount/attach these unencrypted disks, and this action can lead to sensitive information disclosure and/or data leakage.

Audit

To determine if encryption at rest is enabled for your unattached VM disk volumes, perform the following actions:

Note: Getting the encryption status for the detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run disk list command (Windows/macOS/Linux) using custom query filters to list the ID of each unattached managed disk volume available in the current Azure subscription: 

az disk list
	--query '[?diskState == `Unattached`].id'

02 The command output should return the requested disk volume identifiers (IDs): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_1"
]

03 Run disk show command (Windows/macOS/Linux) using the ID of the managed disk volume that you want to examine as identifier parameter to obtain the encryption configuration settings available for the selected unattached VM disk volume: 

az disk show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0"
	--query '{encryptionSettingsCollection: encryptionSettingsCollection}'

04 The command output should return the configuration settings for the specified disk volume: 

{
  "encryptionSettingsCollection": null
}

If the disk show command output returns null as value for the "encryptionSettingsCollection" attribute, as shown in the example above, the unattached Azure VM disk volume is not currently encrypted.

05 Repeat step no. 3 and 4 for each Azure disk volume detached from a virtual machine, provisioned in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption for your unattached Microsoft Azure VM disk volumes, perform the following actions:

Note: Enabling encryption at rest for detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the generated disk encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support: 

az keyvault create
	--name cc-encryption-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enable-soft-delete true
	--enable-purge-protection true
	--enabled-for-disk-encryption true

02 The command output should return the configuration metadata for the newly created Azure Key Vault: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault",
  "location": "westeurope",
  "name": "cc-encryption-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "vaultUri": "https://cc-encryption-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run disk update command (Windows/macOS/Linux) using the ID of the detached Azure VM disk volume that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) and the ID of Azure Key Vault created at the previous steps as configuration parameter, to enable encryption at rest for the selected unattached disk volume: 

az disk update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0"
	--set encryptionSettingsCollection.diskEncryptionKey="/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault" EncryptionSettingsCollection.enabled=true

04 The command output should return the configuration metadata for the reconfigured Azure VM disk volume: 

{
  {
    "creationData": {
      "createOption": "Empty",
      "imageReference": null,
      "sourceResourceId": null,
      "sourceUri": null,
      "storageAccountId": null
    },
    "diskIopsReadWrite": 120,
    "diskMbpsReadWrite": 25,
    "diskSizeGb": 32,
    "diskState": "Unattached",
    "encryptionSettingsCollection": [
      {
        "diskEncryptionKey": {
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "hyperVgeneration": null,
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0",
    "location": "westeurope",
    "managedBy": null,
    "name": "cc-warehouse-app_DataDisk_0",
    "osType": null,
    "provisioningState": "Succeeded",
    "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
    "sku": {
      "name": "StandardSSD_LRS",
      "tier": "Standard"
    },
    "tags": {},
    "timeCreated": "2019-09-10T11:31:24.276707+00:00",
    "type": "Microsoft.Compute/disks",
    "zones": [
      "1"
    ]
}

05 Repeat step no. 3 and 4 for each unencrypted Azure disk volume detached from a virtual machine, available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Related VirtualMachines rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Encryption for Unattached Disk Volumes

Risk level: High