Description:

OS and Data disks should be encrypted using a Customer Managed Key (CMK) stored in Azure Key Vault. This ensures the organization controls the encryption keys instead of Azure. CMK provides stronger security, better compliance, and full control over key rotation, access, and lifecycle. Disks using Platform Managed Keys (PMK) or unencrypted disks do not meet this requirement.


Rationale:

Encrypting OS and Data disks with a Customer Managed Key (CMK) gives the organization full control over who can access, rotate, or revoke the encryption keys. This provides stronger security compared to Azure’s default Platform Managed Keys.
CMK helps meet compliance requirements (ISO 27001, SOC 2, HIPAA, PCI), protects sensitive data, and ensures that only authorized users and systems can manage disk encryption. It reduces the risk of unauthorized access, misuse, or data exposure.


Impact:

If OS and Data disks are not encrypted with a Customer Managed Key (CMK):

  • The organization loses control over the encryption keys.

  • Encryption key rotation and access cannot be managed securely.

  • Compliance requirements for regulated workloads may not be met.

  • Snapshots and backups may be less secure.

  • There is a higher risk of data exposure in case of VM compromise or unauthorized access.


Default Value:

By default, Azure encrypts OS and Data disks using a Platform Managed Key (PMK).
Customer Managed Key (CMK) encryption is not enabled automatically and must be manually configured by the user.


Pre-requisites:

  • Access to the Azure Portal with Owner or Contributor permissions.

  • An Azure Key Vault has already been created.

  • A Customer Managed Key (CMK) is available in the Key Vault.

  • A Disk Encryption Set (DES) linked to the CMK.


Test Plan:

  1. Sign in to the Microsoft Azure Portal https://portal.azure.com

  2. Navigate to Virtual machines.

  3. Select a virtual machine.

  4. Select Disks from the left menu.

  5. Click the OS disk.

  6. Under Settings, select Encryption.

  7. Verify that key management is set to Customer-managed key.

  8. Verify a Disk Encryption Set is selected.

  9. Return to the Disks page.

  10. Click each Data disk attached to the VM.

  11. For each data disk, verify that Key management is set to Customer-managed key and a Disk Encryption Set is configured.

  12. Repeat these steps for all virtual machines in scope.

  13. If any OS or data disk shows a Platform-managed key, follow the Implementation Steps

           


Implementation Steps:

  1. Sign in to the Microsoft Azure Portal at https://portal.azure.com.

  2. Verify that an Azure Key Vault exists.

  3. Verify a Customer Managed Key (CMK) exists in the Key Vault.

  4. Verify that a Disk Encryption Set (DES) is created and linked to the CMK.

  5. Navigate to Virtual machines.

  6. Select the virtual machine to be configured.

  7. Stop and deallocate the virtual machine.

  8. Select Disks from the virtual machine menu and select the OS disk.

  9. Under the settings. Click Encryption.

                                          

  1. Change the key Management Type to Customer-managed key.

  2. Select the Disk Encryption Set (DES) you created.

        

  1. Click Save to apply the CMK encryption.

Backout Plan:

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. Search for Disks and open the disk that was modified.

  3. Under Settings, click Encryption.

  4. Change the Key management back to Platform-managed key (PMK).

  5. Click Save to apply the change.

References: