Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 5 Assign the encryption key to the Recovery Services vault

@20aman    Jul 05, 2020

In this post, we will assign the key from a Key Vault to a Recovery Services vault. This is to use the custom key with the key vault.

First, make sure that you have a key in the key vault. Also, the key should be at least RSA 2048. The key should be in the Enabled state in the key vault. If you don't have one then you can generate one using the key vault. In a practical scenario, you should use your own custom keys.

You can generate a custom key in the Key Vault by navigating to the "Keys" under settings. Next, click on the "+ Generate/Import" button. In the next blade to "Create a key" you can provide the values similar to below to generate a key. Click Create button to create a key.

Generating a Key

Now that you have a key in the Key vault, we can use this to encrypt the backup vault (i.e. the recovery services vault). Navigate to the recovery services vault and click on Properties. Here, click on the "Update" link under the Encryption Settings.

Encryption Settings

To use your own key, select the check box for "Use your own key". You can then either provide a URI for the key or select a key from a key vault. In this post, we will select the second option. Next, click on the "Select key from Key Vault" link to open a new blade.

Selecting the option to use your own key

In the new blade for "Select key from Azure Key Vault", select the subscription, Key vault, and the Key that you want to use to encrypt. Click on the Select button and then the Save button to save the settings.

Selecting the Key from the Key Vault

When you click Save the setting is not final. It submits a job that you can monitor in the Backup Jobs section under Monitoring in the recovery services vault. Once this job completes successfully, as shown below, only then the configurations are complete.

Backup Job

Note that once you have enabled this setting you can't revert back to using the platform managed keys. The check box for "Use your own key" in the Encryption settings becomes disabled. You can however update the custom key being used to encrypt everything.



  Azure Backup    backup   disasterrecovery   microsoft   microsoftazure   recovery  
View All Post
Comments powered by Disqus
Follow Me
Key Posts and Series
Latest Posts
Categories
Archives
Tags Cloud