Hi,
Following the CIS Microsoft Azure Foundation, we have to set an expiration date on all our keys/secrets in the Azure Key Vault, including the ADE secrets (BEK).
1. What happens when the keys expire? Do we have to manually re-enable the disk encryption (using scripts/automation) or is it done in the background, impervious to users?
2. How about the ASR? Do we need to re-enable ASR or run some scripts/automation in order to update the BEK, or is it done in the background automatically?
3. How about Backups? Is there a system to restore backups done with old BEK? Or do we have to re-do the backups.
4. What is the procedure of restoring backups of ADE encrypted VMs to a paired DR region (if the primary region goes down)? Not using ASR!
As you can see, all my questions are related ONLY to the ADE (Azure Disk Encryption) using KeyVault with Microsoft managed keys.
Thank you,
Adrian.