This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 55.00000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
I want to know if Is possible to deploy a new vm or recover from an encrypted exiting VM by creating snapshot ?
Thank You ,
@Kanchan Tiwari Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 63%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi Kanchan,
Yes, it is possible to deploy a new virtual machine (VM) or recover from an encrypted existing VM using snapshots, depending on the virtualization platform you're using. Snapshots are a feature provided by many virtualization platforms that allow you to capture the state of a VM at a specific point in time, including its encrypted data.
To deploy a new VM or recover from an encrypted VM using snapshots, you typically follow these steps:
Create a snapshot: Take a snapshot of the VM you want to work with. This creates a copy of the VM's disk data at a particular moment, including any encryption that's in place.
Provision a new VM: Use the snapshot as a template or source to create a new VM. This new VM will be an exact replica of the original VM at the time the snapshot was taken, including the encrypted data.
Configure encryption settings: If the original VM was encrypted, you may need to configure the encryption settings for the new VM, such as providing encryption keys or passwords.
Start the new VM: Once the new VM is set up and configured, you can start it up and access the recovered or newly deployed VM.
The exact steps you take and terminology may vary depending on the virtualization platform you're using, such as VMware, Hyper-V, or cloud platforms like AWS, Azure, or Google Cloud. It's important to check the documentation or support resources provided by your specific virtualization platform for detailed instructions on how to perform these actions.
I hope this helps with your issue?
Hello @Revelino B , Thank you for your reply
My bad if I did not mention the target platform is Azure Cloud Scenario : where we have encrypted Azure VM with ADE
We created a snapshot from existing VM OS disk, then created a disk from that snapshot with PMK encryption option for both snapshot and disk.
Observation : It could create a VM with encryption PMK in option while deploying the VM , VM got deployed successfully and could see the OS drive was stayed bit locked (ADE)
Note : It could deploys VM when we go with PMK while creating snapshot , disk and VM but it fails the deployment when selected CMK option with these .what my understanding is with PMK it retains the encryption as it is till key is available in Key vault .
can you validate above my view please .
Thank You,
Hi Kanchan, Thanks for the additional information.
In Azure Cloud, when you create a snapshot from an existing VM OS disk and create a new disk from that snapshot, you have the option to choose either a PMK (Platform Managed Key) or a CMK (Customer Managed Key) for encryption. After reading your text, you observed the following, which I will highlight below:
PMK Encryption:
CMK Encryption:
Please beware that to note that proper key management is crucial to ensure successful encryption and deployment of the VM. Don't forgot to review any Azure documentation and guidelines related to Azure Disk Encryption, Azure Key Vault, and customer-managed keys to ensure you have configured everything correctly for your specific scenario.
I hope this helps ? If you have any further questions please let me know.
Hello @Kanchan Tiwari
It is possible to deploy a new VM or recover from an encrypted existing VM by creating a snapshot, but there are some important considerations to keep in mind.
When you create a snapshot of an encrypted VM in Azure, the snapshot is encrypted with the same encryption settings as the original VM. This means that when you deploy a new VM or recover from a snapshot, you will need to provide the encryption settings, including the key vault URL and key name or secret name, in order to access the encrypted disks.
To create a snapshot of an encrypted VM, you can use the Azure portal, PowerShell, or the Azure CLI. Here's an example using PowerShell:
# Create a snapshot of the VM
$vm = Get-AzVM -Name "my-encrypted-vm" -ResourceGroupName "my-rg"
$snapshot = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OSDisk.ManagedDisk.Id -CreateOption Copy
New-AzSnapshot -Snapshot $snapshot -SnapshotName "my-encrypted-vm-snapshot" -ResourceGroupName "my-rg"
To deploy a new VM or recover from a snapshot of an encrypted VM, you can follow the same process as with a non-encrypted VM, but you will need to provide the encryption settings in addition to the other deployment settings. Here's an example of how to deploy a new encrypted VM from a snapshot using PowerShell:
# Create a new encrypted VM from the snapshot
$snapshot = Get-AzSnapshot -Name "my-encrypted-vm-snapshot" -ResourceGroupName "my-rg"
$diskConfig = New-AzDiskConfig -SkuName $snapshot.Sku.Name -OsType $snapshot.OsType -EncryptionSettings $snapshot.EncryptionSettings
$osDisk = New-AzDisk -DiskName "my-encrypted-vm-disk" -Disk $diskConfig -ResourceGroupName "my-rg" -SnapshotId $snapshot.Id
$vmConfig = New-AzVMConfig -VMName "my-new-encrypted-vm" -VMSize "Standard_D2s_v3"
$vmConfig = Set-AzVMOperatingSystem -VM $vmConfig -ManagedDiskId $osDisk.Id -Windows
New-AzVM -VM $vmConfig -ResourceGroupName "my-rg" -Location "eastus"
Again, it's important to ensure that you provide the correct encryption settings when deploying a new VM or recovering from a snapshot of an encrypted VM. Also, keep in mind that snapshots can be used for short-term backup and recovery scenarios, but for long-term backup and disaster recovery, it's recommended to use Azure Backup or a third-party backup solution.
If this anwer helped kindly mark it as Accepted or send us more feedback
Regards!
@KonstantinosPOfficeLine-9007 •
As per my experience , it did not require to provide key vault and key information while creating snapshot from encrypted VM / disk from encrypted snapshot and even it does not require to provide these information while deploying the VM ,
aa I mentioned in my previous comment that though it shows you encryption option PMK/CMK but you will have to choose PMK which helps to retain the encryption configuration of that VM Disk .
Regards,