VMs and VMSS should have encryption at host enabled
HIGH
Ensures that VM and VMSS temp disks and caches are encrypted at the host level before data reaches Azure Storage.
What does this mean?
Encryption at host ensures that data stored on the VM host (including temp disks and disk caches) is encrypted at rest. This provides an additional layer of encryption beyond Azure Storage encryption.
Benefits of implementation
- Encrypts temp disks and caches that are not covered by standard disk encryption
- Data is encrypted before it leaves the compute host
- Required by various compliance frameworks
Drawbacks and considerations
- Not supported on all VM sizes
- Cannot be enabled on existing VMs without redeployment in some cases
- Slight performance overhead for encryption/decryption
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Data Encryption
- Azure Resource
- Frameworks
- 3 frameworks
- Last updated
- 2026-02-12