If you are using Recovery Service Agent (MARS) to backup your servers in Azure Recovery Vault, you know you need to use a passphrase, used to encrypt data.
Until now, this passphrase had to be stored in some secure location.
Well, good news as you can now use Azure Key Vault to save and manage this passphrase.
You should use only one Key Vault to save and manage all your MARS passphrase.
The Key Vault must be configured to allow MARS to access, use and manage passphrase.
- Configure your recovery service vault to use Managed Identity; from the Settings\Identity blade, turn on the System Managed Identity and grab the object ID
or with the PowerShell command
$vault=Get-AzRecoveryServicesVault -ResourceGroupName “<resource group where the recovery vault is” -Name “<name of the recovery vault”
Update-AzRecoveryServicesVault -IdentityType SystemAssigned -ResourceGroupName “<resource group where the recovery vault is” -Name “<name of the recovery vault”
$vault.Identity | fl
- Assign permission to the Key Vault using role-based access (recommended – if using Vault Access policy, just assign the the Set permission on Secret permission to the managed identity); from the Settings\Access Configuration blade and then assign the built-in role Key Vault Secrets Officer, or just create a custom role with the corresponding permission – to the recovery vault managed identity
or with the PowerShell command
#Find the application id for your recovery services vault
Get-AzADServicePrincipal -SearchString <principalName>
#Identify a role with Set permission on Secret, like Key Vault Secret Office
Get-AzRoleDefinition | Format-Table -Property Name, IsCustom, Id
#Assign role to Recovery Services Vault identity
Get-AzRoleDefinition -Name <roleName>
#Assign by Service Principal ApplicationId
New-AzRoleAssignment -RoleDefinitionName ‘Key Vault Secrets Officer’ -ApplicationId {i.e 8ee5237a-816b-4a72-b605-446970e5f156} -Scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}
You will need to provide the Key Vault URI; you can get this URI from the Overview blade
Now you can save your passphrase in the Key Vault either during the initial installation and configuration of the MARS agent by providing the Key Vault URI
If you want to do so with already registered MARS agent, just launch the MARS agent console which will let you know your passphrase is not saved in Key Vault
Just click on the Click here link shown to start saving the passphrase in the Key Vault by turning on the Save passphrase securely to Azure Key Vault and provide the Key Vault URI; you will need to generate a new passphrase
You can check the passphrase has been saved by accessing (if you have the permission) the Secrets blade