Document Details

$vault=Get-AzRecoveryServicesVault -ResourceGroupName "testrg" -Name "testvault" Update-AzRecoveryServicesVault -IdentityType SystemAssigned -ResourceGroupName TestRG -Name TestVault $vault.Identity | fl

--- #### Assign a user-assigned managed identity to the vault (in preview) > [!NOTE] > Vaults that use user-assigned managed identities for CMK encryption don't support the use of private endpoints for Backup. > > Key vaults that limit access to specific networks aren't yet supported for use with user-assigned managed identities for CMK encryption. To assign the user-assigned managed identity for your Recovery Services vault, choose a client: # [Azure portal](#tab/portal) 1. Go to *your Recovery Services vault* > **Identity**. 2. Select the **User assigned (preview)** tab. 3. Select **+Add** to add a user-assigned managed identity. 4. On the **Add user assigned managed identity** panel, select the subscription for your identity. 5. Select the identity from the list. You can also filter by the name of the identity or resource group. 6. Select **Add** to finish assigning the identity. :::image type="content" source="media/encryption-at-rest-with-cmk/assign-user-assigned-managed-identity-to-vault.png" alt-text="Screenshot that shows selections for assigning a user-assigned managed identity to a vault." lightbox="media/encryption-at-rest-with-cmk/assign-user-assigned-managed-identity-to-vault.png"::: # [PowerShell](#tab/powershell) Use the [Update-AzRecoveryServicesVault](/powershell/module/az.recoveryservices/update-azrecoveryservicesvault) command to enable a user-assigned managed identity for the Recovery Services vault. Example:

--- ### Assign permissions to the Recovery Services vault to access the encryption key in Azure Key Vault You now need to permit the Recovery Services vault's managed identity to access the key vault that contains the encryption key. If you're using a user-assigned identity, you must assign the same permissions to it. Choose a client: # [Azure portal](#tab/portal) 1. Go to *your key vault* > **Access policies**. Select **+Add Access Policy**. :::image type="content" source="./media/encryption-at-rest-with-cmk/access-policies.png" alt-text="Screenshot that shows selections to add an access policy." lightbox="./media/encryption-at-rest-with-cmk/access-policies.png"::: 2. Specify the actions to permit on the key. For **Key permissions**, select the **Get**, **List**, **Unwrap Key**, and **Wrap Key** operations. :::image type="content" source="./media/encryption-at-rest-with-cmk/key-permissions.png" alt-text="Screenshot that shows selections for assigning key permissions." lightbox="./media/encryption-at-rest-with-cmk/key-permissions.png"::: 3. Go to **Select principal** and search for your vault in the search box by using its name or managed identity. When the vault appears, select it and then choose **Select** at the bottom of the panel. :::image type="content" source="./media/encryption-at-rest-with-cmk/select-principal.png" alt-text="Screenshot that shows the panel for selecting a principal." lightbox="./media/encryption-at-rest-with-cmk/select-principal.png"::: 4. Select **Add** to add the new access policy. 5. Select **Save** to save changes that you made to the access policy of the key vault. You can also assign an RBAC role to the Recovery Services vault that contains the previously mentioned permissions, such as the [Key Vault Crypto Officer](/azure/key-vault/general/rbac-guide#azure-built-in-roles-for-key-vault-data-plane-operations) role. This role might contain additional permissions. # [PowerShell](#tab/powershell) Use the [Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal) command to get the principal ID of the Recovery Services vault. Then, use this ID in the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) command to set an access policy for the key vault. Example:

--- ### Enable soft delete and purge protection on Azure Key Vault You need to enable soft delete and purge protection on the key vault that stores your encryption key. Choose a client: # [Azure portal](#tab/portal) You can enable soft delete and purge protection from the Azure Key Vault interface, as shown in the following screenshot. Alternatively, you can set these properties while creating the key vault. [Learn more about these Key Vault properties](/azure/key-vault/general/soft-delete-overview). :::image type="content" source="./media/encryption-at-rest-with-cmk/soft-delete-purge-protection.png" alt-text="Screenshot that shows the toggles for enabling soft delete and purge protection." lightbox="./media/encryption-at-rest-with-cmk/soft-delete-purge-protection.png"::: # [PowerShell](#tab/powershell) 1. Sign in to your Azure account:

--- ### Assign an encryption key to the Recovery Services vault Before you select the encryption key for your vault, ensure that you successfully: - Enabled the Recovery Services vault's managed identity and assigned the required permissions to it. - Enabled soft delete and purge protection for the key vault. - Don't have any items protected or registered to the Recovery Services vault for which you want to enable CMK encryption. To assign the key and follow the steps, choose a client: # [Azure portal](#tab/portal) 1. Go to *your Recovery Services vault* > **Properties**. 2. Under **Encryption Settings**, select **Update**. :::image type="content" source="./media/encryption-at-rest-with-cmk/encryption-settings.png" alt-text="Screenshot that shows properties for a Recovery Services vault." lightbox="./media/encryption-at-rest-with-cmk/encryption-settings.png"::: 3. On the **Encryption Settings** pane, select **Use your own key** and then specify the key by using one of the following options. Be sure to use an RSA key that's in an enabled state. - Select **Enter key URI**. In the **Key Uri** box, enter the URI for the key that you want to use for encrypting data in this Recovery Services vault. You can also get this key URI from the corresponding key in your key vault. In the **Subscription** box, specify the subscription for the key vault that contains this key. Be sure to copy the key URI correctly. We recommend that you use the **Copy to clipboard** button provided with the key identifier. :::image type="content" source="./media/encryption-at-rest-with-cmk/key-uri.png" alt-text="Screenshot that shows a key URI for a Recovery Services vault." lightbox="./media/encryption-at-rest-with-cmk/key-uri.png"::: When you're specifying the encryption key by using the full key URI with the version component, the key won't be autorotated. You need to update keys manually by specifying the new key or version when required. Alternatively, remove the version component of the key URI to get automatic rotation. - Choose **Select from Key Vault**. On the **Key picker** pane, browse to and select the key from the key vault. :::image type="content" source="./media/encryption-at-rest-with-cmk/key-vault.png" alt-text="Screenshot that shows the option for selecting a key from a key vault." lightbox="./media/encryption-at-rest-with-cmk/key-vault.png"::: When you specify the encryption key by using the **Key picker** pane, the key will be autorotated whenever a new version for the key is enabled. [Learn more about enabling autorotation of encryption keys](#enable-autorotation-of-encryption-keys). 4. Select **Save**. 5. Track the progress and status of the encryption key assignment by using the **Backup Jobs** view on the left menu. The status should soon change to **Completed**. Your vault will now encrypt all the data with the specified key as a KEK. :::image type="content" source="./media/encryption-at-rest-with-cmk/status-succeeded.png" alt-text="Screenshot that shows the status of a backup job as completed." lightbox="./media/encryption-at-rest-with-cmk/status-succeeded.png"::: The encryption key updates are also logged in the vault's activity log. :::image type="content" source="./media/encryption-at-rest-with-cmk/activity-log.png" alt-text="Screenshot that shows an activity log." lightbox="./media/encryption-at-rest-with-cmk/activity-log.png"::: # [PowerShell](#tab/powershell) Use the [Set-AzRecoveryServicesVaultProperty](/powershell/module/az.recoveryservices/set-azrecoveryservicesvaultproperty) command to enable CMK encryption and to assign or update an encryption key. Example:

This process remains the same when you want to update or change the encryption key. If you want to update and use a key from another key vault (different from the one that you're currently using), ensure that: - The key vault is in the same region as the Recovery Services vault. - The key vault has soft delete and purge protection enabled. - The Recovery Services vault has the required permissions to access the key vault. --- ## Back up data to a vault encrypted via customer-managed keys Before you configure backup protection, confirm that you successfully: - Created your Recovery Services vault. - Enabled the Recovery Services vault's system-assigned managed identity or assigned a user-assigned managed identity to the vault. - Assigned permissions to your Recovery Services vault (or the user-assigned managed identity) to access encryption keys from your key vault. - Enabled soft delete and purge protection for your key vault. - Assigned a valid encryption key for your Recovery Services vault. This checklist is important because after you configure (or try to configure) an item to back up to a non-CMK encrypted vault, you can't enable CMK encryption on it. It continues to use PMKs. The process to configure and perform backups to a Recovery Services vault that's encrypted via CMKs is the same as the process to configure and perform backups to a vault that uses PMKs. There are no changes to the experience. This statement is true for the [backup of Azure VMs](./quick-backup-vm-portal.md) and the backup of workloads running inside a VM (for example, [SAP HANA](./tutorial-backup-sap-hana-db.md) or [SQL Server](./tutorial-sql-backup.md) databases). ## Restore data from a backup ### Restore data from a VM backup You can restore data stored in the Recovery Services vault according to the steps described in [this article](./backup-azure-arm-restore-vms.md). When you're restoring from a Recovery Services vault that's encrypted via CMKs, you can choose to encrypt the restored data by using a disk encryption set (DES). The experience that this section describes applies only when you restore data from CMK-encrypted vaults. When you restore data from a vault that isn't using CMK encryption, the restored data is encrypted via PMKs. If you restore from an instant recovery snapshot, the restored data is encrypted via the mechanism that you used for encrypting the source disk. #### Restore a disk or VM When you recover a disk or VM from a **Snapshot** recovery point, the restored data is encrypted with the DES that you used to encrypt the source VM's disks. When you're restoring a disk or VM from a recovery point with **Recovery Type** as **Vault**, you can choose to encrypt the restored data by using a DES that you specify. Alternatively, you can continue to restore the data without specifying a DES. In that case, the encryption setting on the VM is applied. During cross-region restore, CMK-enabled Azure VMs (which aren't backed up in a CMK-enabled Recovery Services vault) are restored as non-CMK-enabled VMs in the secondary region. You can encrypt the restored disk or VM after the restore is complete, regardless of the selection that you made when you started the restore. :::image type="content" source="./media/encryption-at-rest-with-cmk/restore-points.png" alt-text="Screenshot that shows restore points and recovery types." lightbox="./media/encryption-at-rest-with-cmk/restore-points.png"::: #### Select a disk encryption set while restoring from a vault recovery point Choose a client: # [Azure portal](#tab/portal) To specify a DES under **Encryption Settings** in the restore pane, follow these steps: 1. For **Encrypt disk(s) using your key?**, select **Yes**. 2. In the **Encryption Set** dropdown list, select the DES that you want to use for the restored disks. Ensure that you have access to the DES. > [!NOTE] > The ability to choose a DES while restoring is supported if you're doing a cross-region restore. However, it's currently not supported if you're restoring a VM that uses Azure Disk Encryption. :::image type="content" source="./media/encryption-at-rest-with-cmk/encrypt-disk-using-your-key.png" alt-text="Screenshot that shows selections for encrypting a disk by using a key." lightbox="./media/encryption-at-rest-with-cmk/encrypt-disk-using-your-key.png"::: # [PowerShell](#tab/powershell) Use the [Get-AzRecoveryServicesBackupItem](/powershell/module/az.recoveryservices/get-azrecoveryservicesbackupitem) command with the parameter `-DiskEncryptionSetId <string>` to [specify the DES](/powershell/module/az.compute/get-azdiskencryptionset) for encrypting the restored disk. For more information about restoring disks from a VM backup, see [this article](./backup-azure-vms-automation.md#restore-an-azure-vm). Example: