N2WS-22828 & N2WS-22849 - Fix handling of disk encryption set during backup & recovery

N2WS-22828 & N2WS-22849 - Fix handling of disk encryption set during backup & recovery

Issue:
Azure recovery for encrypted disks fails with DiskEncryptionSet was not found error
Info Recovery session started < type: virtual_machine, policy: AZ_DR_Encrypt, account: AzureMainAcct >
info Starting recovery of virtual machine's disks
Error Failed recovering disk (original: TestVM_OsDisk_1_12345, snapshot: cpm-policy-14-1-2023-9-26-11-18-38-447003_copy_2023-9-26-11-18-54-14613). Error: DiskEncryptionSet '/subscriptions/f29fac-8853-43a5-a4m7d-7d9cc1/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myCMK' was not found. (HttpResponseError)


Solution:
Patch for v4.2.1 is available and attached to this KB. 

This patch include two fixes,  one is for issue with Encryption Set Selection During VM Recovery Process
Second is adding support for custom encryption during Disk DR, after deploying the patch, when doing DR backup you can pass a Disk Encryption Set id to be used for target location. 
We are using tags to do it. Custom tags can be add to specific disk, or to VM (to encrypt all snapshots with same key).

Tag format:
name: cpm_dr_disk_encryption or cpm_dr_disk_encryption:LOCATION
value: Disk Encryption Set ID.

    • Related Articles

    • CPM supports custom encryption keys for DR

      To support the usage of a custom encryption key for DR, you will need to perform the following: In the account where the custom key resides: Go to KMS and browse to the key you wish to share. Go to the "Other AWS accounts" at the bottom of the page ...

    • cpmdata volume disk usage growth due to binlog

      Background: In version 4.2.x, we have upgraded MySQL DB from version 5 to version 8, this changed the default parameter that determines how many binlog file to keep from 10 days to 30 days. This might result in increase in the size the MySQL DB take ...

    • EBS/RDS DR & Recovery with KMS key

      When copying cross account an EBS/RDS Volume encrypted with custom KMS, a KMS key should also be available in the other account. There are 2 ways that CPM uses for checking KMS key - Alias & Tag KMS Tag When using custom tag, you are telling CPM to ...

    • N2WS-13434 - Backup archived to Glacier disappears from the Backup Monitor

      Issue summary Archive backups records might be deleted before their retention period. Issue description A backup record that contains Only archived backup(s), and Does not contain AWS snapshots nor S3 backups or cleanup process deleted all the ...

    • Recovery of an encrypted volume may fail: "Not authorized to use key"

      Issue: Performing a cross account recovery of an encrypted volume, or of an instance containing an encrypted volume may not work if the target account cannot access the encryption key from the source account. Error may appear in the CPM Server log as ...