Configuring Disk Encryption Sets on Destination VM


On this page

For Azure VMs encrypted with customer-managed encryption keys in the Azure Key Vault, full VM restores (from streaming backups only) complete successfully; however, the customer-managed encryption key settings or disk encryption sets (DES) are not applied to the destination VM. You must manually apply the DES settings to the destination VM.


  1. Power off the destination VM.

  2. Go to the Azure portal.

  3. On the Disks blade, select the disk that you want enabled with disk encryption.

  4. On the disk page, select Encryption.

  5. In the Encryption type dropdown box, select Encryption at-rest with a customer-managed key option.

    The Disk encryption set dropdown box appears.

  6. Select the disk encryption set you want to enable on the disk.

    Note: Verify that you have a disk encryption set (DES) present on the location you are restoring the VM to.