question

DavidToseland-4316 avatar image
0 Votes"
DavidToseland-4316 asked SumanthMarigowda-MSFT commented

Restoring a VM that used to be encrypted

This is my scenerio

I have a VM that is encrypted. I remove the encryption from the drives and remove the encryption extension.

I then need later want to restore the VM from a time when it was still encrypted. The restore prompts me that the drive was encrypted and I can only restore the disk which is as expected. I do that and the disk is restored. The next step is to deploy the template. On the restore page the Encryption Info Blob Name is there and if i check the json it points to with storage explorer, i can see it has all the details needed to get the wrapped bek from the key vault.

If i then deploy the template a restore the VM. The VM will not boot. The disk doesnt show ADE, it appears the restored VM doesnt know the disk is encrypted and doesnt try to go a fetch the key from the vault.

I can go through a lengthy process of adding the drives to a recovery VM, recovery the BEK file, unencrypting the drive and then creating a new VM but this takes a long time with large drives

Just to note if i do the same process with an encrypted VM that was never unencrypted, it restores fine. The problem only arises if I have unencrypted a VM first and then later want to restore the VM from a point in time when it was still encrypted.

Also to be clear the keyvault with the wrapped bek is available

azure-backupazure-disk-encryption
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SadiqhAhmed-MSFT avatar image
0 Votes"
SadiqhAhmed-MSFT answered SumanthMarigowda-MSFT commented

Hello @DavidToseland-4316
Thank you for contacting us!

What is the classification of encrypted VM which we are talking about? With AAD or without AAD? In both the cases, drives would be restored along with templates and would need to deploy manually. But after deploying , I expect the ADE settings also to be restored. IN case of encrypted VMs with AAD, ADE settings would be available in OS Disks only and in case of without AAD the settings is at disk levels which means each disk would be having ADE settings flag.

IMO the ADE settings would be restored even for encrypted VMs without AAD.

As mentioned if you are restoring from a point in time RP when VM was encrypted, the ADE settings/extension are expected to be restored. From your description of issue looks like the ADE extension was not restored when the template was deployed and hence the VM didn’t boot up. In this case reinstalling the ADE extension should solve the issue.

HTH!


If the response helped, do "Accept Answer" and up-vote it

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I think you maybe right about the extension but it seems unless the VM boots the extension doesnt install. How do i install the ADE extension into a non booting VM?

0 Votes 0 ·

@DavidToseland-4316 The restore template you are using should have ADE extension as one of the resources. So as per the actual flow, when you are deploying the template to create the VM, ADE extension should be installed and VM should boot up. Can you please check the template once or please share the same along with other details to investigate better.

0 Votes 0 ·

"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VirtualMachineName'), '/AzureDiskEncryption')]",
"apiVersion": "2017-03-30",
"location": "[variables('VirtualMachineLocation')]",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "AzureDiskEncryption",
"typeHandlerVersion": "2.2",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "775809340cc341b1b875b7682cd1afe9",
"settings": {
"EncryptionOperation": "EnableEncryption",

0 Votes 0 ·
Show more comments