Azure Disk Encryption Disaster Recovery / Migration

In a previous post we looked at how Azure Disk Encryption stores the BEK files in Azure Key Vault, and how it is possible to recover the BEK Files if required to manually unlock a VHD.

In this post we will look how you can recover or migrate an entire VM that is encrypted with Azure Disk Encryption. In this scenario we will have a VM in Australia East that has it’s BEK Files uploaded to Azure KeyVault in the same region, and we will be performing a migration or DR restoration including a new Key Vault in Australia Southeast region.

In the following Diagram we have example names of testvault01 in Australia East and testvault02 Australia Southeast. All names have been modified for demonstration purposes.

We will be performing the following actions:

  1. Export BitLocker BEK File secrets from Key Vault into the Key Vault in the secondary region
  2. A Blob copy of the OS VHD file be performed to copy the VHD to the secondary region
  3. A new VM will be provisioned from the existing pre-encrypted VHD
Azure Disk Encryption Disaster Recovery / Migration

Migrate or Disaster Recovery of BitLocker VM using Key Vault

Export BitLocker Encryption Key (BEK) file from Key Vault into DR Key Vault

This is easy to do since the secrets already exist in the source Key Vault in the required format, we do not need to generate the actual BEK file and re-upload. We simply need to read from the existing Key Vault then feed in the values to the new one.

After this is done we can check the new Key Vault and confirm the secrets have been uploaded. Get-AzureKeyVaultSecret -VaultName

Copy VHD to secondary region

After the secrets have been imported into the new Key Vault the next step is to copy the BitLocked VHD to the secondary region. This is very simple using Start-AzureStorageBlobCopy

Create new Azure VM using Pre-Encrypted Disk option and link to new Key Vault

The final step is to create a new Azure VM using the VHD that is pre-encrypted using Azure Disk Encryption extension. First make sure you have the latest version of the Azure PowerShell module, as there are now switches that have been added to the Set-AzureRmVmOsDisk cmdlet which makes this possible. Also, this assumes that the vNet and Storage account have already been created in the secondary region as well. Important to note the DiskEncryptionKeyUrl is the secret URL including the version.

That’s it, the VM has been successfully restored into the secondary region and is configured to retrieve it’s BEK file from the new Key Vault. Thanks again to the Azure Security Team for helping validate these scenarios, make sure you check out their blog.