Using unencrypted cloud storages can lead to data exposure. In the case that adversaries gain physical access to the storage medium they are able to access unencrypted information.
There is a risk if you answered yes to any of those questions.
It’s recommended to encrypt cloud storages that contain sensitive information.
For Microsoft.AzureArcData/sqlServerInstances/databases:
Disabled encryption on SQL service instance database:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "databases/example",
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": false
}
}
}
]
}
resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
properties: {
databaseOptions: {
isEncrypted: false
}
}
}
For Microsoft.Compute/disks, encryption is disabled by default.
For Microsoft.Compute/snapshots:
Disabled disk encryption with settings collection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": false
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
encryptionSettingsCollection: {
enabled: false
}
}
}
For Microsoft.Compute/virtualMachines:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
securityProfile: {
encryptionAtHost: false
}
}
}
Disabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId"
}
]
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
dataDisks: [
{
name: 'myDisk'
}
]
}
}
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": false
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
encryptionSettings: {
enabled: false
}
}
}
}
}
Disabled encryption for OS managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId"
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
managedDisk: {
id: 'myDiskId'
}
}
}
}
}
For Microsoft.Compute/virtualMachineScaleSets:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
securityProfile: {
encryptionAtHost: false
}
}
}
}
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk"
}
]
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
dataDisks: [
{
name: 'myDataDisk'
}
]
}
}
}
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk"
}
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
osDisk: {
name: 'myOsDisk'
}
}
}
}
}
For Microsoft.ContainerService/managedClusters:
Disabled encryption at host and set the disk encryption set ID:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": false
}
]
}
}
]
}
resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
properties: {
agentPoolProfiles: [
{
enableEncryptionAtHost: false
}
]
}
}
For Microsoft.DataLakeStore/accounts:
Disabled encryption for Data Lake Store:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
properties: {
encryptionState: 'Disabled'
}
}
For Microsoft.DBforMySQL/servers:
Disabled infrastructure double encryption for MySQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Disabled'
}
}
For Microsoft.DBforPostgreSQL/servers:
Disabled infrastructure double encryption for PostgreSQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Disabled'
}
}
For Microsoft.DocumentDB/cassandraClusters/dataCenters:
Disabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "cassandraClusters/example",
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4
}
}
]
}
resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
name: 'string'
parent: parent
properties: {
diskCapacity: 4
}
}
For Microsoft.HDInsight/clusters:
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": false
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: false
}
]
}
}
}
Disabled encryption for data disk at application level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "clusters/example",
"type": "Microsoft.HDInsight/clusters/applications",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": false
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: false
}
]
}
}
}
Disabled encryption for resource disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": false
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
diskEncryptionProperties: {
encryptionAtHost: false
}
}
}
Disabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": false
}
}
]
}
resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
properties: {
enableDiskEncryption: false
}
}
For Microsoft.RecoveryServices/vaults:
Disabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Disabled"
}
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
properties: {
encryption: {
infrastructureEncryption: 'Disabled'
}
}
}
Disabled encryption on infastructure for backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "vaults/example",
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"infrastructureEncryptionState": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
properties: {
encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
infrastructureEncryptionState: 'Disabled'
}
}
For Microsoft.RedHatOpenShift/openShiftClusters:
Disabled disk encryption for master profile and worker profiles:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"encryptionAtHost": "Disabled"
},
"workerProfiles": [
{
"encryptionAtHost": "Disabled"
}
]
}
}
]
}
resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
properties: {
masterProfile: {
encryptionAtHost: 'Disabled'
}
workerProfiles: [
{
encryptionAtHost: 'Disabled'
}
]
}
}
For Microsoft.SqlVirtualMachine/sqlVirtualMachines:
Disabled encryption for SQL Virtual Machine:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": false
}
}
}
]
}
resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
properties: {
autoBackupSettings: {
enableEncryption: false
}
}
}
For Microsoft.Storage/storageAccounts:
Disabled enforcing of infrastructure encryption for double encryption of data:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": false
}
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
properties: {
encryption: {
requireInfrastructureEncryption: false
}
}
}
For Microsoft.Storage/storageAccounts/encryptionScopes:
Disabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "storageAccounts/example",
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": false
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
properties: {
requireInfrastructureEncryption: false
}
}
For Microsoft.AzureArcData/sqlServerInstances/databases:
Enabled encryption on SQL service instance database:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "databases/example",
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": true
}
}
}
]
}
resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
properties: {
databaseOptions: {
isEncrypted: true
}
}
}
Enabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"encryption": {
"diskEncryptionSetId": "string",
"type": "string"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
properties: {
encryption: {
diskEncryptionSetId: 'string'
type: 'string'
}
}
}
Enabled encryption through setting encryptionSettingsCollection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": true,
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "string",
"sourceVault": {
"id": "string"
}
}
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
properties: {
encryptionSettingsCollection: {
enabled: true
encryptionSettings: [
{
diskEncryptionKey: {
secretUrl: 'string'
sourceVault: {
id: 'string'
}
}
}
]
}
}
}
Enabled encryption through a security profile for an OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"securityProfile": {
"secureVMDiskEncryptionSetId": "string",
"securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' | 'TrustedLaunch'}"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
properties: {
securityProfile: {
secureVMDiskEncryptionSetId: 'string'
securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}'
}
}
}
For Microsoft.Compute/snapshots:
Enabled disk encryption for snapshot:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryption": {
"diskEncryptionSetId": "string",
"type": "{'EncryptionAtRestWithCustomerKey' | 'EncryptionAtRestWithPlatformAndCustomerKeys' | 'EncryptionAtRestWithPlatformKey'}"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
encryption: {
diskEncryptionSetId: 'string'
type: '{EncryptionAtRestWithCustomerKey | EncryptionAtRestWithPlatformAndCustomerKeys | EncryptionAtRestWithPlatformKey}'
}
}
}
Enabled disk encryption with settings collection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": true,
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "",
"sourceVault": {
"id": "string"
}
}
}
],
"encryptionSettingsVersion": "{'1.0' | '1.1'}"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
encryptionSettingsCollection: {
enabled: true
encryptionSettings: [
{
diskEncryptionKey: {
secretUrl: ''
sourceVault: {
id: 'string'
}
}
}
]
encryptionSettingsVersion: '{1.0 | 1.1}'
}
}
}
Enabled disk encryption through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"securityProfile": {
"secureVMDiskEncryptionSetId": "string",
"securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' |'TrustedLaunch'}"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
securityProfile: {
secureVMDiskEncryptionSetId: 'string'
securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}'
}
}
}
For Microsoft.Compute/virtualMachines:
Enabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
securityProfile: {
encryptionAtHost: true
}
}
}
Enabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
dataDisks: [
{
name: 'myDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
]
}
}
}
Enabled encryption for managed disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
]
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
dataDisks: [
{
name: 'myDisk'
managedDisk: {
securityProfile: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
]
}
}
}
Enabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": true,
"diskEncryptionKey": {
"secretUrl": "string",
"sourceVault": {
"id": "string"
}
}
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
encryptionSettings: {
enabled: true
diskEncryptionKey: {
secretUrl: 'string'
sourceVault: {
id: 'string'
}
}
}
}
}
}
}
Enabled encryption for OS managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId",
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
managedDisk: {
id: 'myDiskId'
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
Enabled encryption for OS managed disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
managedDisk: {
id: 'myDiskId'
securityProfile: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
}
For Microsoft.Compute/virtualMachineScaleSets:
Enabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
securityProfile: {
encryptionAtHost: true
}
}
}
}
Enabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
dataDisks: [
{
name: 'myDataDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
]
}
}
}
}
Enabled encryption for data disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
]
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
dataDisks: [
{
name: 'myDataDisk'
managedDisk: {
securityProfile: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
]
}
}
}
}
Enabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
osDisk: {
name: 'myOsDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
}
Enabled encryption for OS disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
osDisk: {
name: 'myOsDisk'
managedDisk: {
securityProfile: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
}
}
For Microsoft.ContainerService/managedClusters:
Enabled encryption at host and set the disk encryption set ID:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": true
}
],
"diskEncryptionSetID": "string"
}
}
]
}
resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
properties: {
agentPoolProfiles: [
{
enableEncryptionAtHost: true
}
]
diskEncryptionSetID: 'string'
}
}
For Microsoft.DataLakeStore/accounts:
Enabled encryption for Data Lake Store:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
properties: {
encryptionState: 'Enabled'
}
}
For Microsoft.DBforMySQL/servers:
Enabled infrastructure double encryption for MySQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Enabled'
}
}
For Microsoft.DBforPostgreSQL/servers:
Enabled infrastructure double encryption for PostgreSQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Enabled'
}
}
For Microsoft.DocumentDB/cassandraClusters/dataCenters:
Enabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "cassandraClusters/example",
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4,
"backupStorageCustomerKeyUri": "string",
"managedDiskCustomerKeyUri": "string"
}
}
]
}
resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
name: 'string'
parent: parent
properties: {
diskCapacity: 4
backupStorageCustomerKeyUri: 'string'
managedDiskCustomerKeyUri: 'string'
}
}
For Microsoft.HDInsight/clusters:
Enabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": true
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: true
}
]
}
}
}
Enabled encryption for data disk at application level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "clusters/example",
"type": "Microsoft.HDInsight/clusters/applications",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": true
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: true
}
]
}
}
}
Enabled encryption for resource disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": true
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
diskEncryptionProperties: {
encryptionAtHost: true
}
}
}
Enabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": true
}
}
]
}
resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
properties: {
enableDiskEncryption: true
}
}
For Microsoft.RecoveryServices/vaults:
Enabled encryption on infrastructure:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Enabled"
}
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
properties: {
encryption: {
infrastructureEncryption: 'Enabled'
}
}
}
Enabled encryption on infastructure for backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "vaults/example",
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"encryptionAtRestType": "{'CustomerManaged' | 'MicrosoftManaged'}",
"infrastructureEncryptionState": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
properties: {
encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
infrastructureEncryptionState: 'Enabled'
}
}
For Microsoft.RedHatOpenShift/openShiftClusters:
Enabled disk encryption for master profile and worker profiles:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
},
"workerProfiles": [
{
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
}
]
}
}
]
}
resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
properties: {
masterProfile: {
diskEncryptionSetId: 'string'
encryptionAtHost: 'Enabled'
}
workerProfiles: [
{
diskEncryptionSetId: 'string'
encryptionAtHost: 'Enabled'
}
]
}
}
For Microsoft.SqlVirtualMachine/sqlVirtualMachines:
Enabled encryption for SQL Virtual Machine:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": true,
"password": "string"
}
}
}
]
}
resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
properties: {
autoBackupSettings: {
enableEncryption: true
password: 'string'
}
}
}
For Microsoft.Storage/storageAccounts:
Enabled enforcing of infrastructure encryption for double encryption of data:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": true
}
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
properties: {
encryption: {
requireInfrastructureEncryption: true
}
}
}
For Microsoft.Storage/storageAccounts/encryptionScopes:
Enabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "storageAccounts/example",
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": true
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
properties: {
requireInfrastructureEncryption: true
}
}