• 2 min read

Azure Backup supports encrypted Azure virtual machines using Portal and PowerShell

Azure Backup now supports backup and restore of encrypted Azure virtual machines.

Azure Backup already supports backup and restore of Classic and Resource Manager virtual machines and also premium storage VMs. Today, we are announcing support for backup and restore of encrypted Azure virtual machines using portal as well as PowerShell, available for VMs encrypted using Azure Disk Encryption.

Azure Disk Encryption solution helps protect customer data to meet their security and compliance commitments through a range of advanced technologies to encrypt, control and manage encryption keys, and audit access of data. Additionally various security requirements like key rollover and re-encryption of VMs make it more complex to maintain keys and secrets of these VMs. Azure Backup supports backup of encrypted VMs across all of these scenarios seamlessly and maintains security, privacy and sovereignty of enterprise data throughout the backup lifecycle.

Value Proposition

This feature provides:

  • Enhanced security: Since the keys and secrets of encrypted VMs are backed up in encrypted form, unauthorized users cannot read or use these backed up keys and secrets. Only users with right level of permissions can backup and restore encrypted VMs as well as keys and secrets.
  • Improved restores: Besides backing up and restoring encrypted VMs, latest keys and secrets associated with the VM are also backed up. So even if VM is restored after years and the keys are lost, the backed up version can be used to retrieve the VM. Learn more about how to restore keys and secrets using Azure Backup.
  • Simplified experience: With this capability, you can seamlessly backup and restore your encrypted VMs through a familiar and consistent experience.


With this release, Azure Backup provides:

  • Backup of encrypted VMs using Key Encryption Key: The current capability supports backup of VMs encrypted using BitLocker Encryption Key (BEK) and Key Encryption Key (KEK) both. The BEK and KEK backed up will be stored in encrypted form so they can be read and used only when restored back to key vault by the right user.
  • Restore lost keys and secrets: Since KEK and BEK are backed up as well, users with right set of permissions will be able to restore keys and secrets, in case they are lost, back to the key vault and bring up the encrypted VM.
  • PowerShell: Customers can leverage Azure PowerShell to automate and perform backup and restore operations at scale.

Getting Started

To get started with backup of encrypted Azure VMs:

  1. Create a recovery services vault, if it doesn’t exist. Open the recovery services vault.
  2. Click on +Backup to start backing up encrypted VMs – Refer Backup and Restore of encrypted VMs documentation for more details.

Backup of encrypted VMs

To restore encrypted Azure VMs:

  1. To restore encrypted VMs, use the steps mentioned in restore virtual machines in Azure portal documentation for more details.
  2. To restore keys and secrets of encrypted VMs, use the steps mentioned in how to restore keys and secrets using Azure Backup for more details.

Related Links and Additional Content