For Azure VMs encrypted with customer-managed encryption keys in the Azure Key Vault, full VM restores (from streaming backups only) complete successfully; however, the customer-managed encryption key settings or disk encryption sets (DES) are not applied to the destination VM. You must manually apply the DES settings to the destination VM.
Procedure
-
Power off the destination VM.
-
Go to the Azure portal.
-
On the Disks blade, select the disk that you want enabled with disk encryption.
-
On the disk page, select Encryption.
-
In the Encryption type dropdown box, select Encryption at-rest with a customer-managed key option.
The Disk encryption set dropdown box appears.
-
Select the disk encryption set you want to enable on the disk.
Note
Verify that you have a disk encryption set (DES) present on the location you are restoring the VM to.