In my last few blog posts, I have explained how we can encrypt Azure VMs (Windows & Linux) using BitLocker & dm-crypt. You can access these articles using the following links,
Step-by-Step Guide to Encrypt Azure Windows VM using BitLocker (PowerShell Guide) – https://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-windows-vm-using-bitlocker-powershell-guide/https://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-windows-vm-using-bitlocker-powershell-guide/
Step-by-Step Guide to Encrypt Azure Linux VM (PowerShell Guide) – https://www.rebeladmin.com/2019/09/step-step-guide-encrypt-azure-linux-vm-powershell-guide/
When we encrypt complete disks, it not only encrypting the files in there. It also encrypts file system information which uses by the operating system. The operating system itself doesn't have an issue accessing content as it is aware of the key information. But any other system can't access this content without the encryption key information. This is the same when it comes to backup and restore. In this demo, I am going to demonstrate how we can backup and restore an encrypted Azure VM using Azure Backup.
As with any other backup solution, Azure backup also has a certain limitation when it comes to encrypted data backup/restore.
1. Encrypted VM backup/restore only supported within the same region & same subscription.
2. Azure backup only supports the VM which is encrypted using standalone keys.
3. When it comes to data restore, Encrypted VM required full restore. It can't recover data in files or folders level.
4. When restoring VM, Azure backup can't use replace existing VM option for encrypted VMs.
In my demo environment, I already have an encrypted windows VM called REBELVM01. I am going to back up it and restore using Azure Backup.
Create a Recovery Services backup vault
Before we go ahead with backup, first we need a recovery service backup vault. It can be created using,
New-AzRecoveryServicesVault -ResourceGroupName "REBELRG1" -Name "REBELRecoveryServicesVault" -Location "East US"
[su_note]I am using Azure PowerShell module here. You can find more info about it under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0[/su_note]
In the above, I am creating a recovery service vault called "REBELRecoveryServicesVault" in the same resource group as my encrypted VM.