During the virtual machine lifecycle in Microsoft Azure, you will have to validate where the recovery keys are of any given VM that has its disks being encrypted and stored in an Azure Key Vault. Also, it is important to do this exercise when removing/moving Key Vaults around in your subscriptions.
If you have no clue which Key Vaults are in use, then looking at the disk properties/encryption of the desired VM will give you the Azure Key Vault name. It is at the end of the Key Vault field.
Going to the Key Vault (and you must have permissions to read the secrets), you probably will find an avalanche of disk encryption keys being listed. We can click any entry from the list. In the new blade, click on the current version, and then Tags, on the right side it a list of the volume letter, label, and machine name will give the information that you are looking for.
As you may have noticed, the process is tedious, but PowerShell to the rescue!
$vSecrets = Get-AzKeyVaultSecret -VaultName <KeyVaultName> $vSecrets.Tags
More Quick Tips articles
- New from Microsoft: Azure Security Center onboarding guide
- Fixing Azure Key Vault when moving to a different tenant
- Restore Azure Key Vault using just two PowerShell cmdlets
- This overlooked feature in Visual Studio Code can speed release time
- Enabling Front Door managed certificates in Azure: Status update