August 7, 2016

Azure Disk Encryption + Azure Backup

Update: 8/9/16 - new docs posted for reference:

There's this strange line of thinking that says that if you back up a VM, it would generally be a good idea if you could restore it in the unlikely event of an emergency. Couldn't tell you why, but there it is. I prefer to live on the edge of reason and life.

For those that take the safer route, you might be wondering what happens when you are using Azure Backup to back up VMs that have been encrypted with Azure Disk Encryption. You have, of course, deployed Azure Disk Encryption for ALL of your VMs, yes? Thank you. So there you are, humming along nice and encrypted, and lo it was told that your VM was lost due to unfortunate encounter with the intern that liked to play with the registry.

Standard procedure would be to recover it from Azure Backup (after having a stern talking to with the intern). For a refresher, you can do these things quickly with this article as a reference. But after restoration, you find your VM won't start. Why? Because it is encrypted with Azure Disk Encryption. What are we to do!?

With many thanks to a great colleague Simon G., we just need to tell Azure where to get the decryption keys and we're back up and going.

First, prior to enabling Azure Backup to backup the VMs that are encrypted, you need to give Azure Backup rights to read from the Azure Key Vault. Don't worry, this doesn't crack your keys wide open!

Set-AzureRmKeyVaultAccessPolicy -VaultName 'KeyVaultName' -ResourceGroupName 'RGNameOfKeyVault' -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 'bigGUID'

Get the policy you just set and apply it to Backup Protection Policies:

$pol=Get-AzureRmRecoveryServicesBackupProtectionPolicy -Name "NewPolicy" Enable-AzureRmRecoveryServicesBackupProtection -Policy $pol -Name "V2VM" -ResourceGroupName "RGName1"

Now, backup those Encrypted VMs!

Back to our intern created problem- restore time. Restore the VHD as per the article linked above. Now, when creating the recovered VM, we just need to give a few more parameters:

Set-AzureRmVMOSDisk -VM $vm -Name "osdisk" -VhdUri $Uri -DiskEncryptionKeyUrl "http://URL" -DiskEncryptionKeyVaultId "/subscriptions/…/resourceGroups/.../providers/Microsoft.KeyVault/vaults/<VaultName>" -KeyEncryptionKeyUrl "http://URL" -KeyEncryptionKeyVaultId "/subscriptions/…/resourceGroups/.../providers/Microsoft.KeyVault/vaults/<VaultName>" -CreateOption "Attach" -Windows

And then don't forget to attach the Data Disks too, same options.

Easy as pie!