File level restore on an encrypted Azure virtual machine

At the costumer site, I was delivering an Azure Workshop, on the topic of Azure Backup, comes the following questions:

  • On a VM that have encrypted disks, how can we restore it?
  • What is the solution to restore file level (files or folders) without restoring the entire VM?

On the Microsoft Azure Backup documentation – Backup Azure VM Encryption, the limitation is documented: “Encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files and folders.” But this isn’t practical in cases of large VM disks which require frequent file restores. So, what is the solution?

In this particular case, after research, the solution available beside restoring the entire VM, is to restore the Disk only, and from there recovery the file or folders that you might need.

You need to reflect that Microsoft for security and privacy reasons doesn’t have access to our private keys, when encryption is enabled. We are responsible for those private keys. They might generate those for you, but beside that, it’s should be on a Key Vault.

In this case, when you encrypted the disks on a VM, you are limiting the restore functionality of Azure backup. So planning is always recommended when it comes to these features. Otherwise you might run into this kind of questions.


Marcos Nogueira
Azure MVP
Twitter: @mdnoga

Marcos Nogueira

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents. Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

Leave a Reply

Your email address will not be published. Required fields are marked *