Azure virtual machine storage should be encrypted to protect sensitive information. It is considered best practice to encrypt data at-rest in any environment that supports it, especially as it is often required for certain compliance frameworks or industry regulations.
Once a Virtual Machine is created in the console, the encryption at host setting cannot be changed. To create a resource with the correct settings, follow the steps below.
In Azure Console -
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#encryption_at_host_enabled