0

I’m trying to back up a virtual machine with disk encryption (both OS and data disks) using Recovery Services Vault in Azure. The key used for disk encryption is stored in Azure Key Vault, and I'm using RBAC (Role-Based Access Control) for access management instead of Access Policies.

Steps Taken:

  • I’ve enabled the Managed Identity for the Recovery Services Vault.
  • I’ve assigned the Managed Identity the following roles on the Key Vault (Key Vault Crypto User, Key Vault Reader) Key vault roles Despite this, I'm still encountering the following error when attempting to back up the VM:

"Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines."

overview backup vm

What I’ve Tried:

  • I’ve ensured the Key Vault is correctly configured with RBAC.
  • I’ve verified that the Recovery Services Vault’s Managed Identity has the correct roles assigned.
  • I have checked that both the OS and data disks of the virtual machine are encrypted using Azure Disk Encryption.

Question:

What additional permissions or steps are required to ensure that Azure Backup has sufficient access to the Key Vault for backing up encrypted virtual machines? Are there other specific roles or key permissions that need to be granted?

Additional Information:

Key Vault uses RBAC for permissions. The VM is fully encrypted with Azure Disk Encryption. The Managed Identity has Key Vault Crypto User and Key Vault Reader roles.

overview recovery services vault

Improve this question
6
  • You need to assign the Key Vault Administrator role to 'Backup Management Service'(RSV Identity) system identity and wait for some time and check the status, Follow the MS DOC: learn.microsoft.com/en-us/answers/questions/656431/… for more details. Commented Dec 27, 2024 at 12:41
  • @VenkatV I assigned it already, it still gives an error see screenshots. Also the link you provided is for an access policy. With access policy it works fine i'm trying to migrate to RBAC Commented Dec 27, 2024 at 12:44
  • You can see the answer in the comments. Commented Dec 27, 2024 at 14:08
  • @VenkatV I gave the RSV Identity the administrator rights see screenshot Commented Dec 27, 2024 at 14:19
  • Have you tried the role Key Vault Crypto Officer ? , which is supported in this case, and its have the data Action "Microsoft.KeyVault/vaults/keyrotationpolicies/*" Commented Dec 30, 2024 at 5:41

1 Answer 1

Reset to default
0

Problem: Azure Backup with Disk Encryption and Key Vault Permissions (RBAC).

The above error you encountered is due to multiple reasons.

  • Access the related issue.
  • The key was not attached to the recovery service vault before enabling backup.

To resolve the issue, follow the steps below.

  1. Create a VM with a customer-managed key using Key Vault keys. Follow the link for more details.

enter image description here

  1. Make sure to enable the resource access configuration with the following settings in Key Vault.
    Azure Virtual Machines for deployment
    Azure Disk Encryption for volume encryption

enter image description here

  1. Create a Recovery Services vault, enable the Managed Identity, and then assign the Key Vault Administrator role to that RSV identity

enter image description here

  1. Add the encryption key to the Recovery Services vault by navigating to Properties > Encryption Settings > Enable use your own key option. Then, select the Key Vault, keys, and Managed Identity as shown in the image below.

After adding the keys to the RSV, the RSV will have access to the Key Vault. When taking the VM backup, the RSV will use that key for the encryption process

enter image description here

  1. Once you update the encryption settings in the Recovery Services vault, enable the backup for the VM, including the OS disk and data disk.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.