Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Why This Matters

Encrypting OS and data disks with Customer Managed Keys (CMK) gives you control over encryption keys rather than relying on Azure's default Platform Managed Keys (PMK). Without CMK, your data remains vulnerable if Microsoft's keys are compromised, and you cannot rotate or disable keys independently. For high-risk data, CMK provides an essential additional security layer to prevent unauthorized data recovery from detached disks.

What Aether365 Checks

Aether365 verifies that all OS and data disks attached to virtual machines within your Azure subscription are encrypted using Customer Managed Keys (CMK). This check appears in the Aether365 dashboard under the azure-azure-virtual-machines section.

How to Fix

Important note: Disks must be detached from their VMs before you can change encryption settings.

Microsoft references

• Azure disk encryption vms vmss
• Security center disk encryption
• Data encryption best practices
• Disk encryption portal quickstart
• Delete
• Update
• Security controls v2 data protection
• Disks enable customer managed keys powershell