Ensure Azure VM data disk is encrypted with ADE/CMK

Error: Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK

Bridgecrew Policy ID: BC_AZR_GENERAL_1
Checkov Check ID: CKV_AZURE_2
Severity: HIGH

Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK


Azure encrypts data disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Encryption does not impact the performance of managed disks and there is no additional cost for the encryption.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Select the Management tab and verify that you have a Diagnostics Storage Account. If you have no storage accounts, select Create New, give your new account a name, then select OK.
  3. When the VM deployment is complete, select Go to resource.
  4. On the left-hand sidebar, select Disks. On the Disks screen, select Encryption.
  5. On the Create key vault screen, ensure that the Resource Group is the same as the one you used to create the VM.
  6. Name your key vault.
  7. On the Access Policies tab, check the Azure Disk Encryption for volume encryption.
  8. After the key vault has passed validation, select Create. Leave the Key field blank, then click Select.
  9. At the top of the Encryption screen, click Save. A popup will warn you that the VM will reboot. Click Yes.

CLI Command

Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter.

az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV

## You can verify that encryption is enabled on your VM with az vm show
az vm show --name MyVM -g MyResourceGroup

## You will see the following in the returned output:
"EncryptionOperation": "EnableEncryption"

Fix - Buildtime


  • Resource: azurerm_managed_disk
  • Argument: encryption_settings - Is Encryption enabled on this Managed Disk? Changing this forces a new resource to be created.
    Add the encryption_settings block as show:
resource "azurerm_managed_disk" "example" {
  name                 = var.disk_name
  location             = var.location
  resource_group_name  = var.resource_group_name
  storage_account_type = var.storage_account_type
  create_option        = "Empty"
  disk_size_gb         = var.disk_size_gb
 + encryption_settings {
 +   enabled = true
 + }
  tags = var.common_tags

ARM Templates

  • Resource: encryptionOperation
  • Argument: EnableEncryption
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "",
  "parameters": {
    "vmName": {
      "type": "string",
      "metadata": {
        "description": "Name of the virtual machine"
    "volumeType": {
      "type": "string",
      "defaultValue": "Data",
      "allowedValues": [
      "metadata": {
        "description": "Decryption is supported only on data drives for Linux VMs."
    "sequenceVersion": {
      "type": "string",
      "defaultValue": "1.0",
      "metadata": {
        "description": "Pass in an unique value like a GUID everytime the operation needs to be force run"
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
  "variables": {
    "extensionName": "AzureDiskEncryptionForLinux",
    "extensionVersion": "0.1",
+   "encryptionOperation": "EnableEncryption",