Merge pull request #304447 from AbhishekMallick-MS/Aug-20-2025-Freshness

prmerger-automator[bot] · web-flow · commit 1be20819fa27 · 2025-08-20T08:31:21.000Z
Freshness/Page views improvement initiative - Restore VM secrets
diff --git a/articles/backup/backup-azure-restore-key-secret.md b/articles/backup/backup-azure-restore-key-secret.md
@@ -1,31 +1,33 @@
 ---
-title: Restore Key Vault key & secret for encrypted VM
-description: Learn how to restore Key Vault key and secret in Azure Backup using PowerShell
+title: Restore Key Vault key & secret for encrypted Azure VM
+description: Learn how to restore Key Vault key and secret for encrypted VMs via Azure PowerShell using Azure Backup.
 ms.topic: how-to
 ms.custom: devx-track-azurepowershell
-ms.date: 09/04/2024
+ms.date: 08/20/2025
 author: AbhishekMallick-MS
 ms.author: v-mallicka
 # Customer intent: As a system administrator managing encrypted virtual machines, I want to restore keys and secrets to Azure Key Vault, so that I can successfully recover and create encrypted VMs from backup without losing data integrity and security.
 ---
 # Restore Key Vault key and secret for encrypted VMs using Azure Backup
 
-This article talks about using Azure VM Backup to perform restore of encrypted Azure VMs, if your key and secret don't exist in the key vault. These steps can also be used if you want to maintain a separate copy of the key (Key Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.
+This article describes how to use Azure VM Backup to restore encrypted Azure Virtual Machines (VMs) when the original key and secret aren't available in the Key Vault. It's also applicable for scenarios where you want to maintain a separate copy of the key (Key Encryption Key) and secret (BitLocker Encryption Key) for the restored VM.
 
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 
 ## Prerequisites
 
-* **Backup encrypted VMs** - Encrypted Azure VMs have been backed up using Azure Backup. Refer to the article [Manage backup and restore of Azure VMs using PowerShell](backup-azure-vms-automation.md) for details about how to back up encrypted Azure VMs.
+Before you begin restoring an encrypted VM, ensure the following prerequisites are met:
+
+* **Backup encrypted VMs** - Encrypted Azure VMs are backed up using Azure Backup. Refer to the article [Manage backup and restore of Azure VMs using PowerShell](backup-azure-vms-automation.md) for details about how to back up encrypted Azure VMs.
 * **Configure Azure Key Vault** – Ensure that key vault to which keys and secrets need to be restored is already present. Refer to the article [Get Started with Azure Key Vault](/azure/key-vault/general/overview) for details about key vault management.
-* **Restore disk** - Ensure that you've triggered the restore job for restoring disks for encrypted VM using [PowerShell steps](backup-azure-vms-automation.md#restore-an-azure-vm). This is because this job generates a JSON file in your storage account containing keys and secrets for the encrypted VM to be restored.
+* **Restore disk** - Ensure that you trigger the restore job for restoring disks for encrypted VM using [PowerShell steps](backup-azure-vms-automation.md#restore-an-azure-vm) so that this job generates a JSON file in your storage account containing keys and secrets for the encrypted VM to be restored.
 
 ## Get key and secret from Azure Backup
 
 > [!NOTE]
-> Once disk has been restored for the encrypted VM, ensure that:
+> Once disk is restored for the encrypted VM, ensure that:
 >
-> * $details is populated with restore disk job details, as mentioned in [PowerShell steps in Restore the Disks section](backup-azure-vms-automation.md#restore-an-azure-vm)
+> * $details are populated with restore disk job details, as mentioned in [PowerShell steps in Restore the Disks section](backup-azure-vms-automation.md#restore-an-azure-vm)
 > * VM should be created from restored disks only **after key and secret is restored to key vault**.
 
 Query the restored disk properties for the job details.
@@ -48,7 +50,7 @@ $encryptionObject = Get-Content -Path $destination_path  | ConvertFrom-Json
 
 ## Restore key
 
-Once the JSON file is generated in the destination path mentioned above, generate key blob file from the JSON and feed it to restore key cmdlet to put the key (KEK) back in the key vault.
+Once the JSON file is generated in the mentioned destination path, generate key blob file from the JSON and feed it to restore key cmdlet to put the key (KEK) back in the key vault.
 
 ```powershell
 $keyDestination = 'C:\keyDetails.blob'
@@ -58,7 +60,7 @@ Restore-AzKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestin
 
 ## Restore secret
 
-Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret (BEK) back in the key vault. Use these cmdlets if your **VM is encrypted using BEK and KEK**.
+Use the generated JSON file to get secret name and value and feed it to set secret cmdlet to put the secret - BitLocker Encryption Key (BEK) back in the key vault. Use these cmdlets if your **VM is encrypted using BEK and KEK**.
 
 **Use these cmdlets if your Windows VM is encrypted using BEK and KEK.**
 
@@ -80,7 +82,7 @@ $Tags = @{'DiskEncryptionKeyEncryptionAlgorithm' = 'RSA-OAEP';'DiskEncryptionKey
 Set-AzKeyVaultSecret -VaultName '<target_key_vault_name>' -Name $secretname -SecretValue $Secret -ContentType  'Wrapped BEK' -Tags $Tags
 ```
 
-Use the JSON file generated above to get secret name and value and feed it to set secret cmdlet to put the secret (BEK) back in the key vault. Use these cmdlets if your **VM is encrypted using BEK** only.
+Use the generated JSON file to get secret name and value and feed it to set secret cmdlet to put the secret (BEK) back in the key vault. Use these cmdlets if your **VM is encrypted using BEK** only.
 
 ```powershell
 $secretDestination = 'C:\secret.blob'
@@ -97,11 +99,11 @@ Restore-AzKeyVaultSecret -VaultName '<target_key_vault_name>' -InputFile $secret
 
 ## Create virtual machine from restored disk
 
-If you've backed up encrypted VM using Azure VM Backup, the PowerShell cmdlets mentioned above help you restore key and secret back to the key vault. After restoring them, refer to the article [Manage backup and restore of Azure VMs using PowerShell](backup-azure-vms-automation.md#create-a-vm-from-restored-disks) to create encrypted VMs from restored disk, key, and secret.
+If you back up encrypted VM using Azure VM Backup, the preceding PowerShell cmdlets help you restore key and secret back to the key vault. After restoring them, refer to the article [Manage backup and restore of Azure VMs using PowerShell](backup-azure-vms-automation.md#create-a-vm-from-restored-disks) to create encrypted VMs from restored disk, key, and secret.
 
 ## Legacy approach
 
-The approach mentioned above would work for all the recovery points. However, the older approach of getting key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for VMs encrypted using BEK and KEK. Once restore disk job is complete for encrypted VM using [PowerShell steps](backup-azure-vms-automation.md#restore-an-azure-vm), ensure that $rp is populated with a valid value.
+The preceding approach works for all the recovery points. However, the older approach of getting key and secret information from recovery point, would be valid for recovery points older than July 11, 2017 for VMs encrypted using BEK and KEK. Once restore disk job is complete for encrypted VM using [PowerShell steps](backup-azure-vms-automation.md#restore-an-azure-vm), ensure that $rp is populated with a valid value.
 
 ### Restore key (legacy approach)
 
diff --git a/articles/backup/backup-azure-vms-encryption.md b/articles/backup/backup-azure-vms-encryption.md
@@ -2,7 +2,7 @@
 title: Back up and restore encrypted Azure VMs
 description: Describes how to back up and restore encrypted Azure VMs with the Azure Backup service.
 ms.topic: how-to
-ms.date: 05/07/2025
+ms.date: 08/20/2025
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-mallicka
@@ -214,3 +214,5 @@ If you run into any issues, review these articles:
 
 - [Common errors](backup-azure-vms-troubleshoot.md) when backing up and restoring encrypted Azure VMs.
 - [Azure VM agent/backup extension](backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md) issues.
+- [Restore Key Vault key and secret for encrypted VMs using Azure Backup](backup-azure-restore-key-secret.md).
+
diff --git a/articles/backup/restore-azure-encrypted-virtual-machines.md b/articles/backup/restore-azure-encrypted-virtual-machines.md
@@ -2,7 +2,7 @@
 title: Restore encrypted Azure VMs
 description: Describes how to restore encrypted Azure VMs with the Azure Backup service.
 ms.topic: how-to
-ms.date: 06/23/2025
+ms.date: 08/20/2025
 author: AbhishekMallick-MS
 ms.author: v-mallicka
 # Customer intent: "As an IT administrator, I want to restore encrypted Azure virtual machines using the Azure Backup service, so that I can ensure data recovery while maintaining security compliance."
@@ -14,6 +14,8 @@ This article describes how to restore Windows or Linux Azure virtual machines (V
 > [!Note]
 > This article is applicable to virtual machines encrypted with Azure Disk encryption. For more information on ADE and how it differs from other disk encryption types in Azure, see [Disk Encryption Overview](/azure/virtual-machines/disk-encryption-overview).
 
+You can also restore Key Vault key and secret for encrypted VMs using Azure Backup. [Learn more](backup-azure-restore-key-secret.md).
+
 ## Before you start
 
 Review the known limitations before you start restore of an encrypted VM
