How to back up and restore encrypted virtual machines with Azure Backup

This article talks about steps to backup and restore virtual machines using Azure Backup. It also provides details about supported scenarios, pre-requisites, and troubleshooting steps for error cases.

Supported scenarios

  • Backup and restore of encrypted VMs is supported only for Resource Manager deployed virtual machines. It is not supported for Classic virtual machines.
  • It is supported for both Windows and Linux virtual machines using Azure Disk Encryption, which uses the industry standard BitLocker feature of Windows and DM-Crypt feature of Linux to provide encryption of disks.
  • The following table captures supported scenarios for BitLocker Encryption Key (BEK) only and Key Encryption Key (KEK) encrypted VMs.
BEK + KEK VMs BEK only VMs
Non-managed VMs Yes Yes
Managed VMs Yes No

Prerequisites

  1. Virtual machine has been encrypted using Azure Disk Encryption.
  2. Recovery services vault has been created and storage replication set using steps mentioned in the article Prepare your environment for backup.
  3. Azure Backup has been given permissions to access key vault containing keys, secrets for encrypted VMs.

Backup encrypted VM

Use the following steps to set backup goal, define policy, configure items, and trigger backup.

Configure backup

  1. If you already have a Recovery Services vault open, proceed to next step. If you do not have a Recovery Services vault open, but are in the Azure portal, on the Hub menu, click Browse.

    • In the list of resources, type Recovery Services.
    • As you begin typing, the list filters based on your input. When you see Recovery Services vaults, click it.

      Create Recovery Services Vault step 1

      The list of Recovery Services vaults appears. From the list of Recovery Services vaults, select a vault.

      The selected vault dashboard opens.

  2. From the list of items that appears under vault, click Backup to start backing up encrypted VM.

    Open Backup blade

  3. Click on Backup goal as the first step to select the backup goal.

    Open Scenario blade

  4. In the first step of selecting Backup Goal, set Where is your workload running to Azure and What do you want to backup to Virtual machine, then click OK.

    This leads to the second step of selecting Backup policy.

    Open Scenario blade

  5. In the second step of selecting policy, select the backup policy you want to apply to the vault and click OK.

    Select backup policy

    The details of the default policy are listed in the details. If you want to create a policy, select Create New from the drop-down menu. Once you click OK, the backup policy is associated with the vault.

    Next choose the VMs to associate with the vault.

  6. Choose the encrypted virtual machines to associate with the specified policy and click OK.

    Select encrypted VMs

  7. This page shows a message about key vault associated to the encrypted VMs selected. Backup service requires read-only access to the keys and secrets in the key vault. It uses these permissions to backup key and secret, along with the associated VMs. You must provide permissions to backup service to access key vault for backups to work. You can provide these permissions using steps mentioned in the section below.

    Encrypted VMs message

    Now that you have defined all settings for the vault, click Enable Backup at the bottom of the page. Enable Backup deploys the policy to the vault and the VMs.

  8. The next phase in preparation is installing the VM Agent or making sure the VM Agent is installed. To do the same, use the steps mentioned in the article Prepare your environment for backup.

Triggering backup job

Use the steps mentioned in the article Backup Azure VMs to recovery services vault to trigger backup job.

Continue backups of already backed up VMs with encryption enabled

If you have VMs already being backup up in recovery services vault and have been enabled for encryption at a later point, you must give permissions to backup service to access key vault for backups to continue. You can provide these permissions using steps in the section below or using PowerShell steps mentioned in Enable Backup section of PowerShell documentation.

Provide permissions to Azure Backup

Use the following steps to provide relevant permissions to Azure Backup to access key vault and perform backup of encrypted VMs:

  1. Select More Services and search for Key vaults.

    Search key vault

  2. From the list of key vaults, select the key vault associated with encrypted VM, which needs to be backed up.

    Select key vault

  3. Click Access policies and then Add new.

    Add access policy

  4. Click Select principal and type Backup Management Service in the search bar.

    Search backup service

  5. Select Backup Management Service and click Select button.

    Select backup service

  6. Select Azure Backup in Configure from template drop down. It pre-fills the required permissions in Key permissions and Secret permissions drop down. If your VM is encrypted using BEK only, permissions for only secrets are required, so you must remove selection for Key permissions.

    Select Azure backup

  7. Click OK. Notice that Backup Management Service gets added in Access Policies.

    Backup service access policy

  8. Click Save. This will give the required permissions to Azure Backup.

    Backup service access policy

Once permissions are successfully provided, you can proceed with enabling backup for encrypted VMs.

Restore encrypted VM

To restore encrypted VM, first Restore Disks using steps mentioned in section Restore backed up disks in Choosing VM restore configuration. After that, you can use one of the following options:

Troubleshooting errors

Operation Error details Resolution
Backup Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines Virtual machine should be encrypted using both BitLocker Encryption Key and Key Encryption Key. After that, backup should be enabled. Backup service should be provided these permissions using steps mentioned in the section above or by using PowerShell steps mentioned in the Enable protection section of the PowerShell documentation at Use AzureRM.RecoveryServices.Backup cmdlets to back up virtual machines.
Backup Validation failed as virtual machine is encrypted with BEK alone. Backups can be enabled only for virtual machines encrypted with both BEK and KEK. Virtual machine should be encrypted using BEK and KEK. First decrypt the VM and encrypt it using both BEK and KEK. Enable backup once VM is encrypted using both BEK and KEK. Learn more on how you can decrypt and encrypt the VM
Restore You cannot restore this encrypted VM since key vault associated with this VM does not exist. Create key vault using Get Started with Azure Key Vault. Refer the article Restore key vault key and secret using Azure Backup to restore key and secret if they are not present.
Restore You cannot restore this encrypted VM since key and secret associated with this VM do not exist. Refer the article Restore key vault key and secret using Azure Backup to restore key and secret if they are not present.
Restore Backup Service does not have authorization to access resources in your subscription. As mentioned above, Restore Disks first, using steps mentioned in section Restore backed up disks in Choosing VM restore configuration. After that, user PowerShell to Create a VM from restored disks.