Restoring a VM that used to be encrypted

David Toseland 1 Reputation point
2020-12-16T09:25:46.097+00:00

This is my scenerio

I have a VM that is encrypted. I remove the encryption from the drives and remove the encryption extension.

I then need later want to restore the VM from a time when it was still encrypted. The restore prompts me that the drive was encrypted and I can only restore the disk which is as expected. I do that and the disk is restored. The next step is to deploy the template. On the restore page the Encryption Info Blob Name is there and if i check the json it points to with storage explorer, i can see it has all the details needed to get the wrapped bek from the key vault.

If i then deploy the template a restore the VM. The VM will not boot. The disk doesnt show ADE, it appears the restored VM doesnt know the disk is encrypted and doesnt try to go a fetch the key from the vault.

I can go through a lengthy process of adding the drives to a recovery VM, recovery the BEK file, unencrypting the drive and then creating a new VM but this takes a long time with large drives

Just to note if i do the same process with an encrypted VM that was never unencrypted, it restores fine. The problem only arises if I have unencrypted a VM first and then later want to restore the VM from a point in time when it was still encrypted.

Also to be clear the keyvault with the wrapped bek is available

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,114 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
158 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 36,881 Reputation points Microsoft Employee
    2020-12-17T10:22:05.71+00:00

    Hello @David Toseland
    Thank you for contacting us!

    What is the classification of encrypted VM which we are talking about? With AAD or without AAD? In both the cases, drives would be restored along with templates and would need to deploy manually. But after deploying , I expect the ADE settings also to be restored. IN case of encrypted VMs with AAD, ADE settings would be available in OS Disks only and in case of without AAD the settings is at disk levels which means each disk would be having ADE settings flag.

    IMO the ADE settings would be restored even for encrypted VMs without AAD.

    As mentioned if you are restoring from a point in time RP when VM was encrypted, the ADE settings/extension are expected to be restored. From your description of issue looks like the ADE extension was not restored when the template was deployed and hence the VM didn’t boot up. In this case reinstalling the ADE extension should solve the issue.

    HTH!

    ----------------------------------------------------------------------------------------------------------------------

    If the response helped, do "Accept Answer" and up-vote it