Edit

Troubleshoot backup failures on encrypted Azure virtual machines

  • Article

You can troubleshoot common errors encountered while using Azure Backup service to back up encrypted Azure virtual machines with the steps listed below:

Before you start

  1. Review below limitations and supported configurations:
    • You can back up and restore ADE encrypted VMs within the same subscription.
    • Azure Backup supports VMs encrypted using standalone keys. Any key that's a part of a certificate used to encrypt a VM isn't currently supported.
    • Azure Backup supports Cross Region Restore of encrypted Azure VMs to the Azure paired regions.
    • ADE encrypted VMs cannot be recovered at the file/folder level. You must recover the entire VM to restore files and folders.
    • When restoring a VM, you cannot use 'replace existing VM' option for ADE encrypted VMs. See, steps to restore encrypted Azure virtual machines
  2. Review the support matrix for a list of supported managed types and regions
  3. Learn more about encryption support using Azure Disk Encryption(ADE), customer-managed keys(CMk) and platform-managed keys(PMK)

Common error codes

This section provides steps to troubleshoot common errors that you might see.

UserErrorEncryptedVmNotSupportedWithDiskEx

Error message: Disk exclusion is not supported for encrypted virtual machines.

Backup operation failed because selective disk backup is currently not supported for encrypted VMs. Review selective disk backup limitations.

UserErrorKeyVaultPermissionsNotConfigured

Error message: Backup doesn't have sufficient permissions to the key vault for backup of encrypted VMs.

Backup operation failed because the encrypted VMs do not have the required permissions to access the key vault. Permissions can be set through Azure portal or through PowerShell.

DiskEncryptionInternalError

Error message: Unknown error encountered when retrieving secret from the Key Vault with URL

Restore operation of encrypted VM failed because of the missing key-vault key or secret. To resolve this issue, restore the Key-Vault key or secret and create encrypted VMs from restored disk, key, and secret.

BCMProtGetSaSUriAsyncError

Error message: Backup failed in allocating storage from protection service

Backup operation failed because Azure Key Vault do not have required access to the Recovery Service Vault. Assign required permissions to the vault to access the encryption key and retry the operation.

Next steps