0

I am new to Azure Backup and Azure Key Vault. I would like to have an Azure Disk Encryption VM and do normal back up of disks. My first question is: does Azure Backup store the VM disks as-is encrypted? I understand that Azure Backup needs (in order to backup) access to Azure Key Vault. Why? I miss the point why the backup service needs to decrypt the VM in order to back it up. Or maybe is the VM not backed up using the same BEK but rather Azure Backup is "changing" the encryption key? I would expect backup is done 1:1 thus no need to access Key Vault at all. What do I miss here?

toto'
  • 1,325
  • 1
  • 17
  • 36
  • After doing more researched I think I understand that since Azure Recovery/Backup Service uses the SSE encryption method then it needs access to Key Vault because it requires to use the KEK (in CMK scenario). But I am not 100% sure.. – toto' Aug 15 '21 at 16:33

1 Answers1

1

Yes, The encryptions keys will be stored in azure key vaults.

Azure Backup supports backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE). ADE uses BitLocker for encryption of Windows VMs, and the dm-crypt feature for Linux VMs. ADE integrates with Azure Key Vault to manage disk-encryption keys and secrets. Key Vault Key Encryption Keys (KEKs) can be used to add an additional layer of security, encrypting encryption secrets before writing them to Key Vault.

When you encrypt disks with customer-managed keys (CMK), the key used for encrypting the disks is stored in the Azure Key Vault and is managed by you. Storage Service Encryption (SSE) using CMK differs from Azure Disk Encryption (ADE) encryption. ADE uses the encryption tools of the operating system. SSE encrypts data in the storage service, enabling you to use any OS or images for your VMs.

JayakrishnaGunnam-MT
  • 1,548
  • 1
  • 5
  • 9
  • thanks but I know that part of Azure doc. But it does not answer my question. Again, why technically does Azure Backup need access to Key Vault? what the technical reason for that? – toto' Aug 16 '21 at 09:39
  • 1
    when you want to encrypt your vm with ADE or SSE it requires keys for encryption and these keys will be stored in key vault and when you enable backup for the encrypted vm it will access the keys/secrets in key vault for protecting the encrypted vm's .This is the reason azure backup require access to key vault – JayakrishnaGunnam-MT Aug 16 '21 at 13:18
  • @toto' The answer was right there in the first sentence. The encryption keys used to encrypt the Backup data are stored in Key Vault. That's why it needs access to Key Vault. You can't encrypt/decrypt without the keys. – Matt Small Aug 16 '21 at 13:48
  • @JayakrishnaGunnam-MT ok I understood that. But since the VM is already encrypted, wouldn't it be possible to back it up as-is? My point is: why does Azure Backup need to access the key if the VM is already encrypted? Why to decrypt and to encrypt it again? Maybe the backup service is using different keys, and it just needs access to the KEK? Sorry if I was unclear. – toto' Aug 16 '21 at 19:05
  • @MattSmall thanks for your answer. Please check my last comment above. – toto' Aug 16 '21 at 19:05
  • I assume that not everybody has an encrypted disk, and that backup is encrypted by default, so it would still need access to a pair of keys. – Matt Small Aug 17 '21 at 22:18