Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 5 Assign the encryption key to the Recovery Services vault
@20aman Jul 05, 2020In this post, we will assign the key from a Key Vault to a Recovery Services vault. This is to use the custom key with the key vault.
First, make sure that you have a key in the key vault. Also, the key should be at least RSA 2048. The key should be in the Enabled state in the key vault. If you don't have one then you can generate one using the key vault. In a practical scenario, you should use your own custom keys.
You can generate a custom key in the Key Vault by navigating to the "Keys" under settings. Next, click on the "+ Generate/Import" button. In the next blade to "Create a key" you can provide the values similar to below to generate a key. Click Create button to create a key.
Now that you have a key in the Key vault, we can use this to encrypt the backup vault (i.e. the recovery services vault). Navigate to the recovery services vault and click on Properties. Here, click on the "Update" link under the Encryption Settings.
To use your own key, select the check box for "Use your own key". You can then either provide a URI for the key or select a key from a key vault. In this post, we will select the second option. Next, click on the "Select key from Key Vault" link to open a new blade.
In the new blade for "Select key from Azure Key Vault", select the subscription, Key vault, and the Key that you want to use to encrypt. Click on the Select button and then the Save button to save the settings.
When you click Save the setting is not final. It submits a job that you can monitor in the Backup Jobs section under Monitoring in the recovery services vault. Once this job completes successfully, as shown below, only then the configurations are complete.
Note that once you have enabled this setting you can't revert back to using the platform managed keys. The check box for "Use your own key" in the Encryption settings becomes disabled. You can however update the custom key being used to encrypt everything.