![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 96%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
@Momo
Thanks for the additional details and screenshots! I wasn't able to reproduce your issue as you can see in my screenshot below.
However, if you're trying to rotate your KEK, the recommended way to do so is by calling the ADE encryption script, using the same variables you used initially during encryption. For more info.
A backup is recommended prior to executing the ADE script.
For example - This was my initial script:
$KVRGname = 'KeyVaultRG';
$VMRGName = 'VirtualMachineRG';
$vmName = 'jatranTestVM';
$KeyVaultName = 'KVjt';
$keyEncryptionKeyName = 'testADEKey';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
$sequenceVersion = [Guid]::NewGuid();
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId -VolumeType "All" –SequenceVersion $sequenceVersion;
If I were to rotate my keys, I would use the same script with the "sequence version" variable, just referencing a different key.
$KVRGname = 'KeyVaultRG';
$VMRGName = 'VirtualMachineRG';
$vmName = 'jatranTestVM';
$KeyVaultName = 'KVjt';
$keyEncryptionKeyName = 'testADEKey002';
If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.
----------
If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.