During the virtual machine lifecycle in Microsoft Azure, you will have to validate where the recovery keys are of any given VM that has its disks being encrypted and stored in an Azure Key Vault. Also, it is important to do this exercise when removing/moving Key Vaults around in your subscriptions.
If you have no clue which Key Vaults are in use, then looking at the disk properties/encryption of the desired VM will give you the Azure Key Vault name. It is at the end of the Key Vault field.
Going to the Key Vault (and you must have permissions to read the secrets), you probably will find an avalanche of disk encryption keys being listed. We can click any entry from the list. In the new blade, click on the current version, and then Tags, on the right side it a list of the volume letter, label, and machine name will give the information that you are looking for.
As you may have noticed, the process is tedious, but PowerShell to the rescue!
$vSecrets = Get-AzKeyVaultSecret -VaultName <KeyVaultName> $vSecrets.Tags
More Quick Tips articles
- Using location in a consistent way in your ARM template parameters
- Using environment as variables in your Azure DevOps pipelines
- Removing Log Analytics with the soft-delete option
- Using conditions in ARM templates when deploying infrastructure-as-code
- Monitor your Azure VM from your mobile device by scanning a QR code