virtual machine is encrypted with disk encryption for data and OS disks.now i want to continue the encryption by moving the same machine into another subscription. the encryption keys are stored in key vault
Asked
Active
Viewed 1,763 times
0
-
This looks to have some guidance: https://github.com/MicrosoftDocs/azure-docs/issues/8684#issuecomment-400024929 – Mark Wragg Apr 30 '19 at 14:01
-
Thanks mark, $vm.StorageProfile.OsDisk.EncryptionSettings is coming as null – saikiran potru Apr 30 '19 at 14:45
-
You need to give the full code and where you are stuck with. – Ranadip Dutta Apr 30 '19 at 15:40
-
Any update on your side? Is this helpful? – Nancy May 02 '19 at 06:40
-
there is no direct option need to decrypt and take a snap of it and use in another subscription – saikiran potru May 05 '19 at 06:22
-
yes, not an option for decryption in Portal. I mean you can disable encryption via the Azure Resource Manager template, PowerShell cmdlets, or the Azure CLI. https://learn.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview#decryption-workflow – Nancy May 06 '19 at 09:56
1 Answers
2
Virtual disks on Azure VMs are encrypted by using cryptographic keys that are secured in an Azure Key Vault. Document states that
Virtual Machines with certificate stored in Key Vault can be moved to a new resource group in the same subscription, but not across subscriptions.
and
Key Vault - Key Vaults used for disk encryption can't be moved to resource groups in the same subscription or across subscriptions.
So you need to disable encryption the virtual machine first then moves it and enable encryption again with a new key vault.
Nancy
- 26,865
- 3
- 18
- 34