AZURE BL 1-8 Virtual machines OS disks are encrypted using CMK


Virtual Machine OS and data disks are encrypted with platform-managed keys by default. Companies must use customer-managed keys (CMK) to achieve more flexibility for choosing when to rotate their keys per their policies, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.


Remediation Steps


Azure Portal

  1. Goto Virtual Machines.
  2. Select the Virtual Machine you want to remediate.
  3. Select Disks from navigation.
  4. Detach the disk from the Virtual Machine.
  5. Go to the disk you unattached in the previous step and select Encryption.
  6. Change the encryption type, select your encryption settings, and click Save.
  7. Re-attach the disk by going to the virtual machine.


More information about disk encryption can be found here