Description:

Unattached disks in Azure (disks not currently connected to any VM) must be encrypted using a Customer Managed Key (CMK).
Unattached disks may contain sensitive data and should be secured with customer-controlled encryption instead of Azure’s default Platform Managed Key (PMK).


Rationale:

Unattached disks can be downloaded, attached to another VM, or exported.
Encrypting them with CMK ensures customers control key access and rotation, strengthening security and meeting compliance requirements.


Impact:

If unattached disks are not encrypted with CMK:

  • Sensitive data may be exposed if the disk is downloaded or misused

  • No customer control over encryption keys

  • Not compliant with security standards (ISO, SOC 2, HIPAA, PCI)

  • Higher risk in case of disk export, snapshot misuse, or accidental access


Default Value:

  • Azure encrypts disks using Platform Managed Key (PMK) by default.

  • CMK encryption is not enabled automatically for unattached disks.


Pre-requisites:

  • Access to Azure Portal (Owner or Contributor)

  • An Azure Key Vault was created

  • A Customer Managed Key (CMK) was created

  • A Disk Encryption Set (DES) linked to the CMK


Test Plan:

  1. Log in to the Microsoft Azure Portal https://portal.azure.com

  2. In the search bar, search for Disks.

  3. In the Disks list, identify disks where Status = Unattached.

  4. Select an unattached disk.

  5. Under Settings, select Encryption.

  6. Verify that key management is set to Customer-managed key.

  7. Verify a Disk Encryption Set is selected.

  8. Repeat the above steps for all unattached disks.

  9. If any unattached disk shows a Platform-managed key, follow the Implementation Steps

Implementation Steps:

  1. Log in to the Microsoft Azure Portal https://portal.azure.com

  2. Create or open an existing Azure Key Vault.

  3. Create a Customer Managed Key (CMK) in the Key Vault.

  4. Create a Disk Encryption Set (DES) and link it to the CMK.

  5. In the Azure Portal search bar, search for Disks.

  6. In the Overview section, identify disks where Status = Unattached.

  1. Select an unattached disk.

  2. Under Settings, select Encryption.

                            

  1. Change Key management to Customer-managed key.

  1. Select the appropriate Disk Encryption Set.

  2. Click Save to apply the changes.


Backout Plan:

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. Open the unattached disk.

  3. Under Settings, click Encryption.

  4. Change the Encryption type back to Platform-managed key (PMK).

  5. Click Save to apply the changes.


References: