Listing servers with encryption key in an Azure Key Vault

During the virtual machine lifecycle in Microsoft Azure, you will have to validate where the recovery keys are of any given VM that has its disks being encrypted and stored in an Azure Key Vault. Also, it is important to do this exercise when removing/moving Key Vaults around in your subscriptions.

If you have no clue which Key Vaults are in use, then looking at the disk properties/encryption of the desired VM will give you the Azure Key Vault name. It is at the end of the Key Vault field.

Azure Key Vault

Going to the Key Vault (and you must have permissions to read the secrets), you probably will find an avalanche of disk encryption keys being listed. We can click any entry from the list. In the new blade, click on the current version, and then Tags, on the right side it a list of the volume letter, label, and machine name will give the information that you are looking for.

Azure Key Vault

As you may have noticed, the process is tedious, but PowerShell to the rescue!

$vSecrets = Get-AzKeyVaultSecret -VaultName <KeyVaultName>
$vSecrets.Tags

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top