Skip to main content

Public preview: Enhancements to encryption using customer managed keys for Azure Backup

Published date: April 22, 2021

Azure Backup allows you to bring your own keys for encrypting the backup data in your Recovery Services vaults, thus giving you better control. Backup now provides improved capabilities (in preview) for management of encryption with customer managed keys:

  • Backup now supports user-assigned managed identities for granting permissions on keys to the Recovery Services vault
  • Enable encryption with customer managed keys during creation of the Recovery Services vault. This feature is currently in limited preview, to sign up, please fill out this form and write to us at
  • Use Azure Policies to audit and enforce encryption using customer managed keys.

•    The above capabilities are supported through the portal only, and PowerShell support for these is not yet available. Hence, if you intend to use PowerShell for performing key updates, it is suggested you do not use the portal for performing key updates till an updated PowerShell version (supporting the above) is available. Using portal to perform key updates may impact your PowerShell automation till an updated version is available. 
•    The audit policy can be used for auditing vaults that had encryption using customer-managed keys enabled after 3/31/2021. For vaults that had CMK encryption enabled before this date, the policy may result in failures or false negatives (i.e., these vaults may show up as not non-compliant despite having CMK encryption enabled). Please refer here for more details on this. 

Refer to the documentation for more details on encryption for Azure Backup using customer managed keys. 

  • Azure Backup
  • Features
  • Management
  • Services

Related Products