Create Linux VM from Encrypted Disk Snapshots in Azure !


In my previous article, I covered the steps to automate disk snapshots in Azure (valid for encrypted as well as un-encrypted disks). Restoring or creating VM from un-encrypted disk snapshots is straight forward but it is a bit tricky for encrypted disk snapshots. There is no straightforward way to do it from Azure portal so we are going to use Powershell. The process involves following steps-

  1. Login to Azure Subscription
  2. Set the DEK(Data Encryption Key) and KEK (Key Encryption Key) URL and vault id.
  3. Set the OS (and Data) disk snapshot name and resource group.
  4. Create Disks from the snapshots.
  5. Create VM and attach the created disks and set the encryption configurations of OS disk.
  6. Login to new VM and set the encryption configurations for Data Disk.


  • Login to Azure Subscription- (you need Azure AD application having Contributor access to Azure Subscription. You can login using the Azure user credentials as well but I always prefer using Application)
$clientID = "<Azure AD Application ID>"
$key = "<Azure AD Application key/secret>"
$SecurePassword = $key | ConvertTo-SecureString -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $clientID, $SecurePassword
Add-AzureRmAccount -Credential $cred -Tenant "<Azure Tenant ID>" -ServicePrincipal
  • Set the DEK and KEK Url and vault id-
$dekUrl = "https://<vaultname>"
$kekUrl = "https://<vaultname><KEK name>/44ddf34c8ed1123db9b4bd53ef449d3c"
$keyVaultId = "/subscriptions/<subscriptionid>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvaultname>"
  • Set the OS and Data disk snapshot name and resource group-
$resourceGroupName ='<resource-group-name>'
$ossnapshotName = '<os disk snapshot name>'
$datasnapshotName = '<data disk snapshot name>'
$osDiskName = '<Name of the OS Disk to be created>'
$dataDiskName='<Name of the Data Disk to be created>'
  • Create Disks from snapshots-
$ossnapshot = Get-AzureRmSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $ossnapshotName
$osdiskConfig = New-AzureRmDiskConfig -AccountType 'StandardLRS' -Location $ossnapshot.Location -SourceResourceId $ossnapshot.Id -CreateOption Copy
$disk = New-AzureRmDisk -Disk $osdiskConfig -ResourceGroupName $resourceGroupName -DiskName $osDiskName
$datasnapshot = Get-AzureRmSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $datasnapshotName
$dataDiskConfig = New-AzureRmDiskConfig -AccountType 'StandardLRS' -Location $datasnapshot.Location -SourceResourceId $datasnapshot.Id -CreateOption Copy
$dataDisk2 = New-AzureRmDisk -DiskName $dataDiskName -Disk $dataDiskConfig -ResourceGroupName $resourceGroupName
  • Create VM and attach the created disks with encryption configurations for OS disk (create Network interface manually or using powershell prior to this step)
$VirtualMachine = New-AzureRmVMConfig -VMName $virtualMachineName -VMSize $virtualMachineSize
$VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -ManagedDiskId $disk.Id -DiskEncryptionKeyUrl $dekUrl -DiskEncryptionKeyVaultId $dekVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId -CreateOption "Attach" -Linux;
$VirtualMachine = Add-AzureRmVMDataDisk -VM $VirtualMachine -Name $dataDiskName -ManagedDiskId $dataDisk2.Id -Lun "1" -CreateOption "Attach";
$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id '<network interface resource id>'
New-AzureRmVM -VM $VirtualMachine -ResourceGroupName $resourceGroupName -Location $ossnapshot.Location
  • Login to new VM and set the encryption configurations for Data Disk and mount it
  1. Login to the created VM with existing credentials and verify that OS disk is accessible.
  2. Now run the command blkid and identify the bek and Data Disk-


3. Mount the bek disk to /mnt/azure_bek_disk folder –

mount /dev/sdc1 /mnt/azure_bek_disk

4. Create new folder or mount the Data Disk to existing folder- run the following commands-

for header in /var/lib/azure_disk_encryption_config/azureluksheader*; do cryptsetup luksOpen --key-file /mnt/azure_bek_disk/LinuxPassPhraseFileName --header $header /dev/sdd1 datadisk;done
mount /dev/mapper/datadisk /datadrive

      ** Replace sdd1 with the data disk name and /datadrive with the folder name to which you want to mount the data disk.

     5. Now access the data disk folder and verify the contents.

Please contact us in case of any issues.

Thanks for checking out !



All comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Automate Disk Snapshots in Azure ! - TechManyu

    […] disks as well. There is no need to configure Secret or Keys along with encrypted snapshots. In next post we have covered the process of restoring the encrypted disk snapshots to a fresh […]