Apply disk encryption in Azure Security Center
Azure Security Center recommends that you apply disk encryption if you have Windows or Linux VM disks that are not encrypted using Azure Disk Encryption. Disk Encryption lets you encrypt your Windows and Linux IaaS VM disks. Encryption is recommended for both the OS and data volumes on your VM.
Disk Encryption uses the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux. These features provide OS and data encryption to help protect and safeguard your data and meet your organizational security and compliance commitments. Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your Key Vault subscription, while ensuring that all data in the VM disks are encrypted at rest in your Azure Storage.
Azure Disk Encryption is supported on the following Windows server operating systems - Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Disk encryption is supported on the following Linux server operating systems - Ubuntu, CentOS, SUSE, and SUSE Linux Enterprise Server (SLES).
Implement the recommendation
- In the Recommendations blade, select Apply disk encryption.
- In the Apply disk encryption blade, you see a list of VMs for which Disk Encryption is recommended.
- Follow the instructions to apply encryption to these VMs.
To encrypt Azure Virtual Machines that have been identified by Security Center as needing encryption, we recommend the following steps:
- Install and configure Azure PowerShell. This enables you to run the PowerShell commands required to set up the prerequisites required to encrypt Azure Virtual Machines.
- Obtain and run the Azure Disk Encryption Prerequisites Azure PowerShell script.
- Encrypt your virtual machines.
Encrypt a Windows IaaS VM with Azure PowerShell walks you through these steps. This topic assumes you are using a Windows client machine from which you configure disk encryption.
There are many approaches that can be used for Azure Virtual Machines. If you are already well-versed in Azure PowerShell or Azure CLI, then you may prefer to use alternate approaches. To learn about these other approaches, see Azure disk encryption.
This document showed you how to implement the Security Center recommendation "Apply disk encryption." To learn more about disk encryption, see the following:
- Encryption and key management with Azure Key Vault (video, 36 min 39 sec) -- Learn how to use disk encryption management for IaaS VMs and Azure Key Vault to help protect and safeguard your data.
- Azure disk encryption (document) -- Learn how to enable disk encryption for Windows and Linux VMs.
To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies.
- Security health monitoring in Azure Security Center -- Learn how to monitor the health of your Azure resources.
- Managing and responding to security alerts in Azure Security Center -- Learn how to manage and respond to security alerts.
- Managing security recommendations in Azure Security Center -- Learn how recommendations help you protect your Azure resources.
- Azure Security Center FAQ -- Find frequently asked questions about using the service.
- Azure Security blog -- Find blog posts about Azure security and compliance.