OS and data disks should be encrypted with customer-managed key (CMK)
HIGH
Ensures VM OS and data disks use customer-managed keys (CMK) for encryption instead of platform-managed keys.
What does this mean?
By default, Azure encrypts managed disks with platform-managed keys. This recommendation enforces the use of customer-managed keys (CMK), giving you full control over the encryption key lifecycle, rotation, and access policies.
Benefits of implementation
- Full control over encryption key lifecycle and rotation
- Meets regulatory requirements for key management
- Enables integration with your own key management processes
Drawbacks and considerations
- Requires Azure Key Vault setup and maintenance
- Key availability directly impacts disk accessibility
- Additional operational complexity for key rotation and backup
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Data Encryption
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12