[Feature Request] Restore Encrypted Azure VMs (ADE) to Hyper-V

[MBel]

Hey! First of all, thanks for the great work you do on the Veeam products.

As to my request:
When backing up encrypted Azure VMs to an on-premise backup repository, Veeam B&R does not let you recover the workloads to a Hyper-V instance.
You are greeted by the error "Restore points contain Microsoft Azure VMs with disk encryption enabled".
The files can be decrypted manually, but that's not something you'd want to do in a disaster recovery scenario.

We've already confirmed with support that this feature does not yet exist.
It would be great if it could be implemented in the future.

[HannesK]

Hello,
and welcome to the forums.

as far as I see... if we (or anyone else) would be able to implement that, we would have broken the encryption

If restore to on-prem is needed, then the backup method needs to be adjusted. That could be done by doing in-guest backup with agents (to get the decrypted data), or stop using ADE.

Best regards,
Hannes

[nielsengelen]

Could you clarify which encryption method you are using for the VMs in Azure?

[MBel]

as far as I see... if we (or anyone else) would be able to implement that, we would have broken the encryption

Recovering encrypted VMs from the Veeam Azure Appliance works, so the appliance does seem to have some kind of access to the keys.
This just has to also be implemented on the Veeam B&R side of things.

If restore to on-prem is needed, then the backup method needs to be adjusted. That could be done by doing in-guest backup with agents (to get the decrypted data), or stop using ADE.

Using in-guest backup agents is not always an option, especially not when you have bigger environments.

[MBel]

Could you clarify which encryption method you are using for the VMs in Azure?

We're using the native Azure Disk Encryption, with the keys being stored in an azure key vault.

[HannesK]

Hello,

Recovering encrypted VMs from the Veeam Azure Appliance works

yes... but file level restore does not work, right? Looking at the description by Microsoft, it's in-guest encryption with Bitlocker (Windows) or DmCrypt (Linux). It would be the same with Hyper-V and in-guest encryption: full VM restore would work, file level restore would fail

When doing instant recovery to Hyper-V, we need to modify things, which is impossible, because we cannot access the files inside the VM

Best regards,
Hannes

[MBel]

The in-guest encryption shouldn't be an issue. As I've already mentioned, the backup files can be exported from the local copy-job and decrypted manually, so there has to be a way to automate the process.
These are the steps we currently have to go through in order to decrypt ADE disks:
- Export the encrypted VM files from the local copy job using the VBK Extract Tool
- Convert the formatless files to VHD
- Decrypt the VHDs using PowerShell + keys from azure vault
- Import the VHDs to HyperV

Since the Veeam for Azure appliance can already access the keys from the azure vault, there should be away to pass those keys over to the on-prem Veeam B&R instance and use them to decrypt the disks.

[tvoem]

+1
We have the same requirement in the environments of our customers.

To make sure that the customers virtual machines can be restored and put to production on-prem in the case that the Azure VMs are not available because of e.g. an Azure malfunction, maintenance or hacker attack, we backup the VMs with Veeam for Azure and copy the Backups per Veeam Copyjob offsite to an on-premise Veeam Backup and Replication Server. So in the case of a disaster we are able to restore the VMs on an on-premise Hyper-V Server.

Also we are using Azure Disk Encryption (ADE) as a security best practice for the Azure VMs.

When we try to restore these VMs (full VM restore) on-premise we get the error "Restore points contain Microsoft Azure VMs with disk encryption enabled". And thats it...

There should be an prompt where you can insert the BEK Key (Bitlocker Encryption Key) from the Azure Key Vault so that then Veeam automatically decrypt the VHDs and continue with the restore process.

The Veeam for Azure appliance is able to do that as well. So there is already an connection to the Azure Key Vault where the BEK Keys for decryption are stored.


As it is also possible to decrypt the encrypted VHDs of the Azure VMs manually with the BEK Keys and create an Hyper-V VM with the unencrypted VHDs, so there must be an way to automate this inside of Veeam B&R.

Best regards