You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms.md
+35-3Lines changed: 35 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: ankitaduttaMSFT
5
5
manager: gaggupta
6
6
ms.service: site-recovery
7
7
ms.topic: how-to
8
-
ms.date: 10/19/2022
8
+
ms.date: 01/23/2024
9
9
ms.author: ankitadutta
10
10
11
11
---
@@ -158,13 +158,45 @@ Use the following procedure to replicate Azure Disk Encryption-enabled VMs to an
158
158
>During initial replication, the status might take some time to refresh, without apparent progress. Click **Refresh** to get the latest status.
159
159
160
160
## Update target VM encryption settings
161
+
161
162
In the following scenarios, you'll be required to update the target VM encryption settings:
162
163
- You enabled Site Recovery replication on the VM. Later, you enabled disk encryption on the source VM.
163
164
- You enabled Site Recovery replication on the VM. Later, you changed the disk encryption key or key encryption key on the source VM.
164
165
165
-
You can use [a script](#copy-disk-encryption-keys-to-the-dr-region-by-using-the-powershell-script) to copy the encryption keys to the target region and then update the target encryption settings in **Recovery services vault** > *replicated item* > **Properties** > **Compute and Network**.
166
+
Because of the above reasons, the keys are not in sync between source and target. So, you need to copy the keys to target and update the Azure Site Recovery metadata storage through:
167
+
- Portal
168
+
- REST API
169
+
- PowerShell
170
+
171
+
### Update target VM encryption settings from the Azure portal
172
+
173
+
If you are using Site Recovery on a VM and have enabled disk encryption on it at a later point, then you might not have any key vault in the target settings. You must add a new key vault in the target.
174
+
175
+
If you are using a key vault, for example `KV1`, in the target settings, you can change the keys by using a different key vault in the target region. You can choose either an existing key vault that is different from original key vault `KV1` or use a new key vault. As Azure Site Recovery doesn't allow changing the keys in place, you must use a different key vault in the target region.
176
+
177
+
For this example, we assume that you create a new empty key vault `KV2` with the [necessary permissions](#required-user-permissions). You can then update the vault using the following steps:
178
+
179
+
1. Navigate to **Recovery services vault** in the portal.
1. Select `KV2` from the menu to update the target key vault.
182
+
183
+
1. Select **Save** to copy the source keys to the new target key vault `KV2` with a new key/secret and update the Azure Site Recovery metadata.
184
+
> [!NOTE]
185
+
> Creating a new key vault might have cost implications. If you want to use your original target key vault (`KV1`) that you were using before, you can do so after completing the above steps with a different key vault.
186
+
> <br>
187
+
> After you have updated the vault using a different key vault, to use your original target key vault (`KV1`), repeat the steps 1 to 4 and select `KV1` in the target key vault. This copies the new key / secret in `KV1` and uses that for the target.
188
+
189
+
190
+
### Update target VM encryption settings using REST API
191
+
192
+
1. You must copy the keys to target vault using the [Copy-Keys](https://raw.githubusercontent.com/AsrOneSdk/published-scripts/master/CopyKeys/CopyKeys.ps1) script.
193
+
2. Use the [`Replication Protected Items - Update`](https://learn.microsoft.com/rest/api/site-recovery/replication-protected-items/update?view=rest-site-recovery-2023-02-01&tabs=HTTP&tryIt=true&source=docs#diskencryptioninfo) Rest API to update the Azure Site Recovery metadata.
194
+
195
+
### Update target VM encryption settings using PowerShell
1. Copy the keys to target vault using the [Copy-Keys](https://raw.githubusercontent.com/AsrOneSdk/published-scripts/master/CopyKeys/CopyKeys.ps1) script.
198
+
1. Use the [`Set-AzRecoveryServicesAsrReplicationProtectedItem`](https://learn.microsoft.com/powershell/module/az.recoveryservices/set-azrecoveryservicesasrreplicationprotecteditem?view=azps-11.1.0) command to update the Azure Site Recovery metadata.
199
+
168
200
169
201
## <aid="trusted-root-certificates-error-code-151066"></a>Troubleshoot key vault permission issues during Azure-to-Azure VM replication
0 commit comments