Cloud storage resources that have encryption disabled or omit encryption configuration expose data to unauthorized access.
Cloud storage resources that leave encryption disabled or omit encryption configuration store data in plain text on the underlying physical medium. If an attacker gains access to the storage infrastructure — through a misconfigured access policy, a compromised service account, or physical access to the hardware — they can read all stored data without any additional decryption step. Many Azure services disable encryption features by default, meaning the absence of an encryption setting is itself a misconfiguration.
An attacker who gains limited cloud permissions may not be able to log into a server directly, but may still have permission to create or share disk snapshots. Without encryption, they can share a snapshot with an external account, attach it to a virtual machine they control, and read all stored data without any additional decryption step. Encryption at rest is the only control that makes a stolen snapshot useless to an attacker who does not also hold the encryption key.
Unencrypted storage exposes any data at rest — database records, backup files, virtual machine disks, and archive data — to unauthorized parties who gain access to the underlying storage medium or the cloud resource. Depending on what is stored, this can include personal information, credentials, intellectual property, or regulated data subject to compliance requirements such as PCI DSS. Modern ransomware attacks commonly exfiltrate data before triggering encryption: if the storage is unencrypted at the disk level, an attacker can immediately read and weaponize what they steal.
Many regulatory frameworks consider encrypted data that is lost or stolen to be a non-reportable incident, while the loss of unencrypted data triggers mandatory breach notification obligations, fines, and remediation costs. Leaving storage unencrypted removes this safe harbor, converting a technical incident into a legal and financial liability.
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.Compute/snapshots:
Disabled disk encryption with settings collection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": false
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
encryptionSettingsCollection: {
enabled: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": true,
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "",
"sourceVault": {
"id": "string"
}
}
}
],
"encryptionSettingsVersion": "{'1.0' | '1.1'}"
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
properties: {
encryptionSettingsCollection: {
enabled: true
encryptionSettings: [
{
diskEncryptionKey: {
secretUrl: ''
sourceVault: {
id: 'string'
}
}
}
]
encryptionSettingsVersion: '{1.0 | 1.1}'
}
}
}
For Microsoft.Compute/virtualMachines:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
securityProfile: {
encryptionAtHost: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
securityProfile: {
encryptionAtHost: true
}
}
}
Disabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId"
}
]
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
dataDisks: [
{
name: 'myDisk'
}
]
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
dataDisks: [
{
name: 'myDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
]
}
}
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": false
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
encryptionSettings: {
enabled: false
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": true,
"diskEncryptionKey": {
"secretUrl": "string",
"sourceVault": {
"id": "string"
}
}
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
encryptionSettings: {
enabled: true
diskEncryptionKey: {
secretUrl: 'string'
sourceVault: {
id: 'string'
}
}
}
}
}
}
}
Disabled encryption for OS managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId"
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
managedDisk: {
id: 'myDiskId'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId",
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
]
}
resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
properties: {
storageProfile: {
osDisk: {
name: 'myDisk'
managedDisk: {
id: 'myDiskId'
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
For Microsoft.Compute/virtualMachineScaleSets:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
securityProfile: {
encryptionAtHost: false
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
securityProfile: {
encryptionAtHost: true
}
}
}
}
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk"
}
]
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
dataDisks: [
{
name: 'myDataDisk'
}
]
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
dataDisks: [
{
name: 'myDataDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
]
}
}
}
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk"
}
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
osDisk: {
name: 'myOsDisk'
}
}
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
]
}
resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
properties: {
virtualMachineProfile: {
storageProfile: {
osDisk: {
name: 'myOsDisk'
managedDisk: {
diskEncryptionSet: {
id: 'string'
}
}
}
}
}
}
}
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.ContainerService/managedClusters:
Disabled encryption at host and set the disk encryption set ID:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": false
}
]
}
}
]
}
resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
properties: {
agentPoolProfiles: [
{
enableEncryptionAtHost: false
}
]
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": true
}
],
"diskEncryptionSetID": "string"
}
}
]
}
resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
properties: {
agentPoolProfiles: [
{
enableEncryptionAtHost: true
}
]
diskEncryptionSetID: 'string'
}
}
For Microsoft.RedHatOpenShift/openShiftClusters:
Disabled disk encryption for master profile and worker profiles:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"encryptionAtHost": "Disabled"
},
"workerProfiles": [
{
"encryptionAtHost": "Disabled"
}
]
}
}
]
}
resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
properties: {
masterProfile: {
encryptionAtHost: 'Disabled'
}
workerProfiles: [
{
encryptionAtHost: 'Disabled'
}
]
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
},
"workerProfiles": [
{
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
}
]
}
}
]
}
resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
properties: {
masterProfile: {
diskEncryptionSetId: 'string'
encryptionAtHost: 'Enabled'
}
workerProfiles: [
{
diskEncryptionSetId: 'string'
encryptionAtHost: 'Enabled'
}
]
}
}
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.DBforMySQL/servers:
Disabled infrastructure double encryption for MySQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Disabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Enabled'
}
}
For Microsoft.DBforPostgreSQL/servers:
Disabled infrastructure double encryption for PostgreSQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Disabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
properties: {
infrastructureEncryption: 'Enabled'
}
}
For Microsoft.DocumentDB/cassandraClusters/dataCenters:
Disabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "cassandraClusters/example",
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4
}
}
]
}
resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
name: 'string'
parent: parent
properties: {
diskCapacity: 4
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "cassandraClusters/example",
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4,
"backupStorageCustomerKeyUri": "string",
"managedDiskCustomerKeyUri": "string"
}
}
]
}
resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
name: 'string'
parent: parent
properties: {
diskCapacity: 4
backupStorageCustomerKeyUri: 'string'
managedDiskCustomerKeyUri: 'string'
}
}
For Microsoft.AzureArcData/sqlServerInstances/databases:
Disabled encryption on SQL service instance database:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "databases/example",
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": false
}
}
}
]
}
resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
properties: {
databaseOptions: {
isEncrypted: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "databases/example",
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": true
}
}
}
]
}
resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
properties: {
databaseOptions: {
isEncrypted: true
}
}
}
For Microsoft.SqlVirtualMachine/sqlVirtualMachines:
Disabled encryption for SQL Virtual Machine:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": false
}
}
}
]
}
resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
properties: {
autoBackupSettings: {
enableEncryption: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": true,
"password": "string"
}
}
}
]
}
resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
properties: {
autoBackupSettings: {
enableEncryption: true
password: 'string'
}
}
}
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.DataLakeStore/accounts:
Disabled encryption for Data Lake Store:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
properties: {
encryptionState: 'Disabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
properties: {
encryptionState: 'Enabled'
}
}
For Microsoft.HDInsight/clusters:
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": false
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: false
}
]
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": true
}
]
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
computeProfile: {
roles: [
{
encryptDataDisks: true
}
]
}
}
}
Disabled encryption for resource disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": false
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
diskEncryptionProperties: {
encryptionAtHost: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": true
}
}
}
]
}
resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
properties: {
diskEncryptionProperties: {
encryptionAtHost: true
}
}
}
Disabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": false
}
}
]
}
resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
properties: {
enableDiskEncryption: false
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": true
}
}
]
}
resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
properties: {
enableDiskEncryption: true
}
}
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.RecoveryServices/vaults:
Disabled encryption on infrastructure:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Disabled"
}
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
properties: {
encryption: {
infrastructureEncryption: 'Disabled'
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Enabled"
}
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
properties: {
encryption: {
infrastructureEncryption: 'Enabled'
}
}
}
Disabled encryption on infrastructure for backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "vaults/example",
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"encryptionAtRestType": "{'CustomerManaged' | 'MicrosoftManaged'}",
"infrastructureEncryptionState": "Disabled"
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
properties: {
encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
infrastructureEncryptionState: 'Disabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "vaults/example",
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"encryptionAtRestType": "{'CustomerManaged' | 'MicrosoftManaged'}",
"infrastructureEncryptionState": "Enabled"
}
}
]
}
resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
properties: {
encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
infrastructureEncryptionState: 'Enabled'
}
}
The following examples show cloud storage resources with encryption explicitly disabled or not configured. Enable encryption by setting the relevant property to its enabled value or by providing an encryption key reference.
For Microsoft.Storage/storageAccounts:
Disabled enforcing of infrastructure encryption for double encryption of data:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": false
}
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
properties: {
encryption: {
requireInfrastructureEncryption: false
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "example",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": true
}
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
properties: {
encryption: {
requireInfrastructureEncryption: true
}
}
}
For Microsoft.Storage/storageAccounts/encryptionScopes:
Disabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "storageAccounts/example",
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": false
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
properties: {
requireInfrastructureEncryption: false
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "storageAccounts/example",
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": true
}
}
]
}
resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
properties: {
requireInfrastructureEncryption: true
}
}