Overview:
When protecting Azure VMs with Druva, understanding support limitations based on disk encryption type is critical. Azure supports multiple encryption typesโPlatform-Managed Keys (PMK), Customer-Managed Keys (CMK), and Azure Disk Encryption (ADE)โeach with its own set of capabilities and restrictions.
Below is the Druva support matrix categorized by encryption type and recovery scenario:
๐ 1. Azure VM with Platform-Managed Keys (PMK)
Overview: This is the default encryption method where Azure manages the keys, offering full support for all backup and restore workflows.
Operation Type | Support Status |
Backup | โ Supported |
Restore - Same Subscription, Same Region | โ Supported |
Restore - Same Subscription, Cross-Region | โ Supported |
Restore - Cross-Subscription, Same Tenant | โ Supported |
Restore - Cross-Subscription, Cross-Tenant | โ Supported |
File-Level Recovery (FLR) | โ Supported (except for VM disks using Windows Storage Spaces) |
๐ 2. Azure VM with Customer-Managed Keys (CMK)
Overview: CMK allows customers to control encryption keys using Azure Key Vault. This setup limits restore options due to access boundary enforcement.
Operation Type | Support Status |
Backup | โ Supported |
Restore - Same Subscription, Same Region | โ Supported |
Restore - Same Subscription, Cross-Region | โ Not Supported |
Restore - Cross-Subscription, Same Tenant | โ Not Supported |
Restore - Cross-Subscription, Cross-Tenant | โ Not Supported |
File-Level Recovery (FLR) | โ Supported (except for VM disks using Windows Storage Spaces) |
๐ 3. Azure VM with Azure Disk Encryption (ADE)
Overview: ADE uses BitLocker or DM-Crypt at the OS level, offering an extra security layer. However, its tight integration with Key Vault necessitates manual permission updates for successful restores within the same subscription and region.
Operation Type | Support Status |
Backup | โ Supported |
Restore - Same Subscription, Same Region | โ Supported (requires manual permission update โ see instructions below) |
Restore - Same Subscription, Cross-Region | โ Not Supported |
Restore - Cross-Subscription, Same Tenant | โ Not Supported |
Restore - Cross-Subscription, Cross-Tenant | โ Not Supported |
File-Level Recovery (FLR) | โ Not Supported |
โ๏ธ Manual Permission Update for ADE Restore (Same Subscription & Region)
To restore an Azure VM with ADE encryption in the same subscription and region, manual updates to the Druva Backup App's Role permissions are required. Follow the steps below:
Steps to Update Azure Backup App Permissions
Log in to Azure and go to the Subscription you want to update.
From the left menu, select Access Control (IAM).
Click the Role assignments tab at the top.
Scroll to Apps section and locate the Druva Backup App.
Copy the Role ID associated with the app.
Go back to the top of the IAM page and click the Roles tab.
Paste the Role ID in the search box and locate the role.
Click the three dots (โฎ) beside the role name and select Edit.
In the edit view, go to the Permissions tab.
Click Add permission.
In the new pane:
Search for and select Microsoft Key Vault.
Then search for Deploy.
Choose: Other: Use Vault for Azure Deployments.
Confirm that the permission listed is:
Microsoft.KeyVault/vaults/deploy/action.
Click Add, then Review, and finally Update.
Once done, the restore operation for ADE-encrypted disks within the same subscription and region will proceed successfully.
โ Recommendations
Prefer Platform-Managed Keys (PMK) for complete flexibility in backup and recovery.
If using CMK or ADE, plan for their limitations, especially for restores across regions or subscriptions.
Avoid using Windows Storage Spaces on disks if FLR is required.
Always update permissions as outlined above for ADE restores.
๐ Conclusion
Selecting the right disk encryption type is essential not only for security but also for recovery flexibility. Druva supports a wide range of use cases for PMK, with limited support for CMK and ADE due to Azure constraints. By following the proper configuration and permission setup steps, you can ensure successful protection and recovery of your Azure VMs.