Restoring VM Disk Data

The process of restoring an Azure VM whose disks are encrypted with SSE or ADE does not differ from the same process for a VM with unencrypted disks.

Server-Side Encryption of Azure Disk Storage

During entire VM restore or disk restore, Veeam Backup for Microsoft Azure uses different key management options to encrypt the restored disks depending on the target Azure region:

When performing restore to the original Azure region, Veeam Backup for Microsoft Azure encrypts the restored VM disks using the original key management option. However, if the associated Azure Key Vault or Disk Encryption Set is missing, the restored VM disks will be encrypted with platform-managed keys.
When performing restore to a new Azure region, Veeam Backup for Microsoft Azure always encrypts the restored VM disks with platform-managed keys.

During file-level recovery, Veeam Backup for Microsoft Azure restores data as is; when performing restore to the original location, Veeam Backup for Microsoft Azure does not change the SSE settings configured for the VM.

Azure Disk Encryption

During entire VM restore or disk restore, Veeam Backup for Microsoft Azure preserves the original encryption settings for the restored VM disks. However, if the original Azure Key Vault is unavailable or the original Key Vault key is missing, Veeam Backup for Microsoft Azure will not be able to restore the data.

Important

If virtual disks of an Azure VM are encrypted using Azure Disk Encryption, the following limitations apply:

You can perform entire VM restore and disk restore to the original Azure region only — performing restore to a new region is not supported.
You cannot perform file-level recovery — restoring and browsing guest OS files on disks encrypted using the BitLocker and DM-Crypt features (as well as any custom disk encryption tools) is not supported.