Use Key Encryption Keys to Backup Your Encrypted Azure Virtual Machines

imageMany of you have been asking us about the ability to encrypt virtual machines in Azure.image

It’s an important question, because many security teams and compliance team require that virtual machines be encrypted.

The good news is that we have a great feature called Azure Disk Encryption that enables you to encrypt the virtual disk files that comprise your virtual machines.

When you encrypt the virtual disk files, you protect them from being stolen by anyone who might get access to those files. For example, if someone were able to somehow connect to your Azure storage and download the virtual disk files, they would not be able to open those files because they don’t have access to the encryption keys.

Encrypting virtual machines is relatively easy – but there’s one thing you need to be aware of – make sure to use a Key Encryption Key (KEK) when you encrypt your virtual machines if you want to back them up with Azure Backup.

A Key Encryption Key (KEK) provides an additional layer of security to wrap the BitLocker encryption keys, and we recommend that you add a KEK to your Key Vault for use in the disk encryption provisioning process. Use the Add-AzureKeyVaultKey cmdlet to create a new Key Encryption Key in Key Vault. You can also import KEK from your on-premises key management HSM.

For more details, see Key Vault documentation.


Please let us know if you run into any issues with encrypting your virtual machines or have problems using a KEK to support backing up encrypted virtual machines.



Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me

Comments (0)

Skip to main content