Document Details
Encryption At Rest With Cmk
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
powershell_heavy
windows_tools
windows_first
Summary
The documentation demonstrates a moderate Windows bias. PowerShell is consistently presented as a primary automation/scripting option alongside the Azure CLI and portal, with detailed PowerShell examples and outputs. There is a strong emphasis on PowerShell cmdlets, which are traditionally associated with Windows environments, and no mention of Linux-native scripting tools (e.g., Bash, shell scripts) or Linux-specific considerations. Additionally, the documentation references BitLocker for Windows before DM-Crypt for Linux in the context of Azure Disk Encryption, subtly prioritizing Windows technologies.
Recommendations
- Include Bash/shell script examples for key operations, especially for Linux users who may prefer scripting outside of Azure CLI.
- When mentioning encryption technologies, present Linux (DM-Crypt) and Windows (BitLocker) options in parallel, or alternate their order to avoid implicit prioritization.
- Where possible, clarify that PowerShell is cross-platform, or provide explicit guidance for Linux users on installing and using PowerShell if it is required.
- Add notes or links to Linux-specific best practices or troubleshooting tips for common backup and encryption scenarios.
- Ensure that all automation examples (PowerShell, CLI) are equally detailed and that CLI examples are not less comprehensive than PowerShell ones.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
 Clean
|
| 2026-01-13 00:00 | #246 | completed |
Clean
|
| 2026-01-12 00:00 | #243 | cancelled |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
Clean
|
| 2025-09-11 00:00 | #108 | completed |
Clean
|
| 2025-08-11 00:00 | #77 | completed |
Clean
|
| 2025-08-10 00:00 | #76 | completed |
Clean
|
| 2025-08-09 00:00 | #75 | completed |
Clean
|
| 2025-08-08 00:00 | #74 | completed |
Clean
|
| 2025-08-07 00:00 | #73 | completed |
Clean
|
| 2025-08-06 00:00 | #72 | completed |
Clean
|
| 2025-08-05 00:00 | #71 | completed |
Clean
|
| 2025-08-03 00:00 | #69 | completed |
Clean
|
| 2025-08-01 00:00 | #67 | completed |
Clean
|
| 2025-07-31 00:00 | #66 | completed |
Clean
|
| 2025-07-30 00:00 | #65 | completed |
Clean
|
| 2025-07-29 00:01 | #64 | completed |
Clean
|
| 2025-07-28 00:00 | #63 | completed |
Clean
|
| 2025-07-27 00:00 | #62 | completed |
Clean
|
| 2025-07-26 00:01 | #61 | completed |
Clean
|
| 2025-07-25 00:00 | #60 | completed |
Clean
|
| 2025-07-24 00:00 | #59 | completed |
Clean
|
| 2025-07-23 00:00 | #58 | completed |
Clean
|
| 2025-07-22 00:01 | #57 | completed |
Clean
|
| 2025-07-21 00:00 | #56 | completed |
Clean
|
| 2025-07-19 13:51 | #54 | completed |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Biased
|
| 2025-07-09 13:09 | #3 | cancelled |
Clean
|
| 2025-07-08 04:23 | #2 | cancelled |
Clean
|
Flagged Code Snippets
$vault=Get-AzRecoveryServicesVault -ResourceGroupName "testrg" -Name "testvault" Update-AzRecoveryServicesVault -IdentityType SystemAssigned -ResourceGroupName TestRG -Name TestVault $vault.Identity | fl
---
### Assign permissions to the Recovery Services vault to access the encryption key in Azure Key Vault
You now need to permit the Recovery Services vault's managed identity to access the key vault that contains the encryption key.
If you're using a user-assigned identity, you must assign the same permissions to it.
Choose a client:
# [Azure portal](#tab/portal)
1. Go to *your key vault* > **Access policies**. Select **+Add Access Policy**.
:::image type="content" source="./media/encryption-at-rest-with-cmk/access-policies.png" alt-text="Screenshot that shows selections to add an access policy." lightbox="./media/encryption-at-rest-with-cmk/access-policies.png":::
2. Specify the actions to permit on the key. For **Key permissions**, select the **Get**, **List**, **Unwrap Key**, and **Wrap Key** operations.
:::image type="content" source="./media/encryption-at-rest-with-cmk/key-permissions.png" alt-text="Screenshot that shows selections for assigning key permissions." lightbox="./media/encryption-at-rest-with-cmk/key-permissions.png":::
3. Go to **Select principal** and search for your vault in the search box by using its name or managed identity. When the vault appears, select it and then choose **Select** at the bottom of the panel.
:::image type="content" source="./media/encryption-at-rest-with-cmk/select-principal.png" alt-text="Screenshot that shows the panel for selecting a principal." lightbox="./media/encryption-at-rest-with-cmk/select-principal.png":::
4. Select **Add** to add the new access policy.
5. Select **Save** to save changes that you made to the access policy of the key vault.
You can also assign an RBAC role to the Recovery Services vault that contains the previously mentioned permissions, such as the [Key Vault Crypto Officer](/azure/key-vault/general/rbac-guide#azure-built-in-roles-for-key-vault-data-plane-operations) role. This role might contain additional permissions.
# [PowerShell](#tab/powershell)
Use the [Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal) command to get the principal ID of the Recovery Services vault. Then, use this ID in the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) command to set an access policy for the key vault.
Example:
---
### Enable soft delete and purge protection on Azure Key Vault
You need to enable soft delete and purge protection on the key vault that stores your encryption key.
Choose a client:
# [Azure portal](#tab/portal)
You can enable soft delete and purge protection from the Azure Key Vault interface, as shown in the following screenshot. Alternatively, you can set these properties while creating the key vault. [Learn more about these Key Vault properties](/azure/key-vault/general/soft-delete-overview).
:::image type="content" source="./media/encryption-at-rest-with-cmk/soft-delete-purge-protection.png" alt-text="Screenshot that shows the toggles for enabling soft delete and purge protection." lightbox="./media/encryption-at-rest-with-cmk/soft-delete-purge-protection.png":::
# [PowerShell](#tab/powershell)
1. Sign in to your Azure account: