You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can backup and restore the virtual machine (VM) guest state protection key of each Trusted launch VM on an Azure Local instance using one of the following methods.
16
+
This article describes how to manually back up and restore a Trusted launch for Azure Local VM enabled by Azure Arc.
17
17
18
-
-**Azure Local release 2505 and later**: Backup/restore VM guest state protection keys to/from a file system folder.
18
+
-**For Azure Local release 2505 and later**: Backup/restore VM guest state protection keys to/from a file system folder.
19
19
20
-
-**Azure Local releases prior to 2505**: Backup/restore VM guest state protection keys to/from a key vault in another Azure Local instance.
20
+
-**For Azure Local releases prior to 2505**: Backup/restore VM guest state protection keys to/from a key vault in another Azure Local instance.
21
21
22
-
## For Azure Local release 2505 and later
22
+
#[Azure Local release 2505 and later](#tab/azure-local-release-2505-and-later)
23
23
24
-
To backup, this approach copies VM guest state protection keys from the local key vault of your Azure Local instance to a folder that is backed up periodically. The VM guest state protection keys stored inside that folder are in an encrypted form.
24
+
For back up, this method copies VM guest state protection keys from the on-premises key vault of your Azure Local instance to a folder that is backed up periodically. The VM guest state protection keys stored inside that folder are in an encrypted form.
25
25
26
-
To restore, this approach restores VM guest state protection keys from a folder (containing the backup copy) to the local key vault of an Azure Local instance where the VMs need to be restored.
26
+
For restore, this method restores VM guest state protection keys from a folder (containing the backup copy) to the local key vault of an Azure Local instance where the VMs need to be restored.
27
27
28
28
### Backup
29
29
30
30
The steps below involve copying VM guest state protection keys from the local key vault of your Azure Local instance to a folder that is backed up periodically.
31
31
32
32
1. On a secure computer using PowerShell 7, generate a wrapping key of size 2048:
@@ -42,42 +42,48 @@ The steps below involve copying VM guest state protection keys from the local ke
42
42
43
43
$publicKeyPem | Out-File -FilePath .\public.pem
44
44
```
45
+
1. Make a note of the wrapping key as you'll need it later.
45
46
46
47
1. Copy the `.\public.pem` file to your Azure Local instance.
47
48
48
49
1. Copy VM guest state protection keys from the local key vault of your Azure Local instance to a folder that is backed up periodically:
49
50
50
51
1. Download the [TvmBackupUtils.psm1 script](https://github.com/Azure-Samples/AzureLocal/blob/main/trusted-launch-vms/TvmBackupUtils.psm1) on GitHub to your Azure Local instance.
51
52
52
-
1. Run `import-module .\TvmBackupUtils.psm1 -force`.
53
+
1. Run the following:
53
54
54
-
1. Run `Backup-TVMKeys -WrappingKeyPath <path to public.pem> -BackupRootPath <path to backup root folder where the timestamped backup folder is stored>`.
55
+
```powershell
56
+
import-module .\TvmBackupUtils.psm1 -force
57
+
58
+
Backup-TVMKeys -WrappingKeyPath <path to public.pem> -BackupRootPath <path to backup root folder where the timestamped backup folder is stored>
59
+
```
55
60
56
61
1. Make note of the timestamped backup folder created under the backup root folder. You will need this later during recovery. For example, backup folder named "20250612205355" with the format "yyyyMMddHHmmss".
57
62
58
-
1. Periodically backup the backup root folder.
63
+
1. Any time you create a new VM on Azure Local instance, run the script and back up the keys in the key vault.
59
64
60
65
### Restore
61
66
62
-
The steps below involve restoring VM guest state protection keys from a folder containing the backup copy to the local key vault of an Azure Local instance where the VMs need to be restored.
67
+
The steps below involve restoring VM guest state protection keys from a folder containing the backup copy to the key vault of an Azure Local instance where the VMs need to be restored.
63
68
64
-
1. Copy both private and public key files for the wrapping key that you created during Backup step 1 to the Azure Local instance.
69
+
1. Copy both private and public key files for the wrapping key that you created previously to the Azure Local instance.
65
70
66
71
1. Copy the timestamped backup folder to the Azure Local instance. Pick the folder under the backup root folder with the latest timestamp as that folder will have the most recent copy.
67
72
68
73
> [!NOTE]
69
74
> Don't modify the backup folder.
70
75
71
-
1. Import the wrapping key that you created during Backup step 1 to the Azure Local instance:
76
+
1. Import the wrapping key that you created previously to the Azure Local instance:
72
77
73
78
1. Download the [TvmBackupUtils.psm1 script](https://github.com/Azure-Samples/AzureLocal/blob/main/trusted-launch-vms/TvmBackupUtils.psm1) on GitHub to your Azure Local instance.
74
79
75
-
1. Run `Import-Module .\TvmBackupUtils.psm1 -force`.
80
+
1. Run the following commands. Make sure to create a unique name for the WrappingKeyName. Otherwise, this will cause a failure during import:
76
81
77
-
> [!NOTE]
78
-
> Make sure the WrappingKeyName you specify doesn't match the name of a key already existing in the timestamped backup folder. Otherwise, this will cause a failure during import (see Restore step 5).
82
+
```powershell
83
+
Import-Module .\TvmBackupUtils.psm1 -force
79
84
80
-
1. Run `Import-TvmWrappingKeyFromPem -KeyName <WrappingKeyName> -PublicKeyPath <path to public.pem> -PrivateKeyPath <path to private.pem> -KeySize 2048`
85
+
Import-TvmWrappingKeyFromPem -KeyName <WrappingKeyName> -PublicKeyPath <path to public.pem> -PrivateKeyPath <path to private.pem> -KeySize 2048
86
+
```
81
87
82
88
1. Delete `AzureStackTvmAKRootKey` as follows:
83
89
@@ -90,10 +96,9 @@ The steps below involve restoring VM guest state protection keys from a folder c
90
96
91
97
`Import-TVMKeys -WrappingKeyName <WrappingKeyName> -BackupPath <path to timestamped backup folder>`
92
98
93
-
> [!NOTE]
94
-
> If the local key vault of the Azure Local instance already has a VM guest state protection key with the same name or already has an `AzureStackTvmAKRootKey`, you will receive an `InvalidVersion` error for that key. You can ignore this, as the key is already in the key vault.
99
+
If the local key vault of the Azure Local instance already has a VM guest state protection key with the same name or already has an `AzureStackTvmAKRootKey`, you will receive an `InvalidVersion` error for that key. You can ignore this, as the key is already in the key vault.
95
100
96
-
1. Cleanup files and keys:
101
+
1. Clean up files and keys:
97
102
98
103
1. Delete both `public.pem` and `private.pem` files from the Azure Local instance.
99
104
@@ -103,13 +108,13 @@ The steps below involve restoring VM guest state protection keys from a folder c
103
108
1. Run `Remove-MocKey -name WrappingKeyName -group AzureStackHostAttestation -keyvaultName AzureStackTvmKeyVault`
104
109
105
110
106
-
## For Azure Local releases prior to 2505
111
+
# [Azure Local releases prior to 2505](#tab/azure-local-releases-prior-to-2505)
107
112
108
-
To backup, this approach copies VM guest state protection keys from the local key vault of your Azure Local instance to the local key vault of another Azure Local instance that is used for key backup purposes.
113
+
To back up, this method copies VM guest state protection keys from the local key vault of your Azure Local instance to the local key vault of another Azure Local instance that is used for key backup purposes.
109
114
110
115
To restore, this method restores VM guest state protection keys from the local key vault (backup key vault) of the Azure Local instance that is used for key backup purposes to the local key vault of an Azure Local instance where the VMs need to be restored.
111
116
112
-
### Backup
117
+
### Back up
113
118
114
119
Follow these steps to copy the VM guest state protection key from the local key vault of the Azure Local instance where the VM resides to a backup key vault on another Azure Local instance:
115
120
@@ -139,7 +144,7 @@ Follow these steps to copy the VM guest state protection key from the local key
1. On the Azure Local system with the backup key vault, run the following steps on the Azure Local system:
147
+
1. On the Azure Local system with the backup key vault, run the following steps:
143
148
144
149
1. Copy the `VM ID` and `VM ID`.json file to the Azure Local system.
145
150
@@ -149,9 +154,9 @@ Follow these steps to copy the VM guest state protection key from the local key
149
154
150
155
### Restore
151
156
152
-
Follow these steps to copy the VM guest state protection keyfrom the backup key vault of the Azure Local instance that is used for key backup purposes to the local key vault of the target Azure Local system where the VM needs to be restored:
157
+
Follow these steps to copy the VM guest state protection key. The key is copied from the backup key vault of the Azure Local instance to the key vault of the target Azure Local system (where the VM needs to be restored):
153
158
154
-
1. On the source Azure Local system where the VM needs to be restored, run the following commands on the Azure Local system:
159
+
1. On the source Azure Local system where the VM needs to be restored, run the following commands:
155
160
156
161
1. Create a wrapping key in the key vault:
157
162
@@ -161,7 +166,7 @@ Follow these steps to copy the VM guest state protection key from the backup key
> Restore the VM guest state key (complete the steps above) before you start the VM on the Azure Local instance where the VM needs to be restored. This ensures that the VM uses the restored VM GSP key. Otherwise, the VM creation fails, and a new VM GSP key is created by the system. If this happens by mistake (human error), delete the VM GSP key and then repeat the steps to restore the VM GSP key.
190
+
> Restore the VM guest state key (complete the steps above) before you start the VM on the Azure Local instance where the VM needs to be restored. This ensures that the VM uses the restored VM guest state protection key. Otherwise, the VM creation fails, and a new VM guest state protection key is created by the system. If this happens by mistake (human error), delete the VM guest state protection key and then repeat the steps to restore the VM guest state protection key key.
0 commit comments