iCompaas Support

Description:

Virtual Hard Disks (VHDs) associated with Azure Virtual Machines store operating system files, application binaries, and customer data. Historically, Azure allowed VHDs to exist unencrypted, creating a risk of data exposure if a disk was copied or compromised. Although Azure now defaults to using encrypted managed disks, older or legacy VHDs stored in Storage Accounts may remain unencrypted. This control ensures all VHD files are encrypted with Azure Storage Service Encryption (SSE) or customer-managed keys to protect confidentiality and integrity.

Rationale:

Unencrypted VHDs expose sensitive data if downloaded, copied, or accessed by unauthorized users. Encryption mitigates risks of data theft, meets compliance mandates, and ensures secure handling of disk data at rest. Legacy disks must be checked and migrated to managed disks or encrypted storage to align with security standards.

Impact:

• Protects sensitive VM data at rest

• Helps meet compliance (ISO, SOC, PCI, HIPAA)

• Reduces data exposure risks from copied or exported VHDs

Default Value:

• Modern Azure Managed Disks are encrypted by default.

• Legacy VHDs stored in Storage Accounts may be unencrypted unless manually configured.

Pre-requisites:

• Access permissions for Storage Accounts, Disk resources, and VM management

• Azure role such as Owner, Contributor, or Disk Encryption Admin

• Ability to migrate unmanaged disks to managed disks if needed

Test Plan:

1. Log in to the Microsoft Azure Portal https://portal.azure.com 

2. Go to Virtual machines.

3. Select a virtual machine.

4. Under Settings, click Disks.

5. Click the OS disk.

6. Check the Encryption type.

7. Verify that it shows Platform-managed key (PMK) or Customer-managed key (CMK)

8. If it shows disabled, follow the implementation steps

Implementation Steps:

1. Log in to the Microsoft Azure Portal  https://portal.azure.com

2. Go to Virtual machines.

3. Select the virtual machine.

4. Click Stop and deallocate the virtual machine.

5. After the VM is deallocated, go to Disks.

6. Select the OS disk. Under Settings, click Encryption.

7. Under Key management, select:

•  Platform-managed key (PMK)
  Or Customer-managed key 

8. Click Save.

Backout Plan:

1. Log in to the Microsoft Azure Portal  https://portal.azure.com

2. Navigate to Virtual machines.

3. Select the affected virtual machine.

4. Click Stop and deallocate the virtual machine.

5. Go to Disks.

6. Select the OS disk. Under Settings, click Encryption

7. Under Encryption / Key management, revert to the previous configuration:

8. Change from Customer-managed key (CMK) back to Platform-managed key (PMK) or the previous one.

9. Save the changes.

Reference:

• https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview

• https://learn.microsoft.com/azure/storage/common/storage-service-encryption

• https://learn.microsoft.com/azure/virtual-machines/disks-enable-customer-managed-keys