Azure Virtual Machines
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Azure Virtual Machines

      Disk Volumes BYOK Encryption Disabled

      Ensures that virtual machine disks are created using BYOK encryption

      Risk Level: Medium

      Description

      This plugin ensures that the Azure Virtual Machine (VM) disks have BYOK (Bring Your Own Key, i.e., Customer-Managed Key) encryption enabled. Azure disc encryption aids in the security and protection of your data.

      About the Service

      Azure Virtual Machines:

      Azure Virtual Machines (VM) are one of several forms of scalable, on-demand computing resources offered by Azure. VMs are typically used when you require more control over the computing environment than the other options provide.  To know more, read here.

      Impact

      Azure encryption at rest with a platform-managed key is the default encryption provided whenever a new VM disk is created. However, these platform-managed keys offer very little flexibility. CMEKs, on the other hand, allow the user to tailor the encryption to their specific requirements, resulting in greater security.

      Steps to Reproduce

      Using Azure Console-

      1. Log In to your Azure Console.

      2. Navigate to the Home portal of the Azure Console and click on All services.

      3. Enter Disks in the search bar provided to access all the disks in your Azure subscription. You can use this link here to navigate directly if you’re already logged in.


      4. In the list of disks displayed, select the one you wish to investigate.

      5. From the navigation panel on the left side of the console, go to Encryption in the Settings section.


      6. If it is set to the Default value (only platform-managed keys), then encryption for the selected disk is not at the desired level.


      7. Repeat steps 4 to 6 for all the VM disks you want to investigate in the selected directory.

      8. If you have multiple directories, repeat steps 2 to 7 for each directory in your Azure Console. 

      Steps for Remediation

      Determine whether or not you truly require BYOK encryption to be disabled for your disks. If not, make the necessary changes to enable it using the steps below.


      Using GCP Console-

      1. Log In to your Azure Console.

      2. Navigate to the Home portal of the Azure Console and click on All services.

      3. Enter Disks in the search bar provided to access all the disks in your Azure subscription. You can use this link here to navigate directly if you’re already logged in.


      4. In the list of disks displayed, select the one you wish to re-configure.  (In case you aren’t sure which one needs to be configured, follow the steps to reproduce listed above to determine which VM to choose.)

      5. From the navigation panel on the left side of the console, go to Encryption in the Settings section.


      6. In the drop-down box, choose either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
        Next, choose your desired Disk encryption set.

        (or)


      7. Click on the Save button to apply the changes.


      8. Repeat steps 3 to 7 for all the VM scale sets you want to reconfigure in the selected directory.

      9. If you have multiple directories, repeat steps 2 to 8 for each directory in your Azure Console.