Full backup and restore
Note
This feature is only available for resource type managed HSM.
Managed HSM supports creating a full backup of the entire contents of the HSM including all keys, versions, attributes, tags, and role assignments. The backup is encrypted with cryptographic keys associated with the HSM's security domain.
Backup is a data plane operation. The caller initiating the backup operation must have permission to perform dataAction Microsoft.KeyVault/managedHsm/backup/start/action.
Only following built-in roles have permission to perform full backup:
- Managed HSM Administrator
- Managed HSM Backup
You must provide following information to execute a full backup:
- HSM name or URL
- Storage account name
- Storage account blob storage container
- Storage container SAS token with permissions
crdw
Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.
To start Azure Cloud Shell:
| Option | Example/Link |
|---|---|
| Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. |  |
| Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. |  |
| Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. |  |
To use Azure Cloud Shell:
Start Cloud Shell.
Select the Copy button on a code block (or command block) to copy the code or command.
Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code or command.
Full backup
Backup is a long running operation but will immediately return a Job ID. You can check the status of backup process using this Job ID. The backup process creates a folder inside the designated container with a following naming pattern mhsm-{HSM_NAME}-{YYYY}{MM}{DD}{HH}{mm}{SS}, where HSM_NAME is the name of managed HSM being backed up and YYYY, MM, DD, HH, MM, mm, SS are the year, month, date, hour, minutes, and seconds of date/time in UTC when the backup command was received.
While the backup is in progress, the HSM may not operate at full throughput as some HSM partitions will be busy performing the backup operation.
Important
Public internet access must not be blocked from the storage accounts being used to backup or restore resources.
# time for 500 minutes later for SAS token expiry
end=$(date -u -d "500 minutes" '+%Y-%m-%dT%H:%MZ')
# Get storage account key
skey=$(az storage account keys list --query '[0].value' -o tsv --account-name mhsmdemobackup --subscription a1ba9aaa-b7f6-4a33-b038-6e64553a6c7b)
# Create a container
az storage container create --account-name mhsmdemobackup --name mhsmdemobackupcontainer --account-key $skey
# Generate a container sas token
sas=$(az storage container generate-sas -n mhsmdemobackupcontainer --account-name mhsmdemobackup --permissions crdw --expiry $end --account-key $skey -o tsv --subscription a1ba9aaa-b7f6-4a33-b038-6e64553a6c7b)
# Backup HSM
az keyvault backup start --hsm-name mhsmdemo2 --storage-account-name mhsmdemobackup --blob-container-name mhsmdemobackupcontainer --storage-container-SAS-token $sas --subscription 361da5d4-a47a-4c79-afdd-d66f684f4070
Full restore
Full restore allows you to completely restore the contents of the HSM with a previous backup, including all keys, versions, attributes, tags, and role assignments. Everything currently stored in the HSM will be wiped out, and it will return to the same state it was in when the source backup was created.
Important
Full restore is a very destructive and disruptive operation. Therefore it is mandatory to have completed a full backup at least 30 minutes prior to a restore operation can be performed.
Restore is a data plane operation. The caller starting the restore operation must have permission to perform dataAction Microsoft.KeyVault/managedHsm/restore/start/action. The source HSM where the backup was created and the destination HSM where the restore will be performed must have the same Security Domain. See more about Managed HSM Security Domain.
You must provide the following information to execute a full restore:
- HSM name or URL
- Storage account name
- Storage account blob container
- Storage container SAS token with permissions
rl - Storage container folder name where the source backup is stored
Restore is a long running operation but will immediately return a Job ID. You can check the status of the restore process using this Job ID. When the restore process is in progress, the HSM enters a restore mode and all data plane command (except check restore status) are disabled.
#### time for 500 minutes later for SAS token expiry
end=$(date -u -d "500 minutes" '+%Y-%m-%dT%H:%MZ')
# Get storage account key
skey=$(az storage account keys list --query '[0].value' -o tsv --account-name mhsmdemobackup --subscription a1ba9aaa-b7f6-4a33-b038-6e64553a6c7b)
# Generate a container sas token
sas=$(az storage container generate-sas -n mhsmdemobackupcontainer --account-name mhsmdemobackup --permissions rl --expiry $end --account-key $skey -o tsv --subscription a1ba9aaa-b7f6-4a33-b038-6e64553a6c7b)
Restore HSM
az keyvault restore start --hsm-name mhsmdemo2 --storage-account-name mhsmdemobackup --blob-container-name mhsmdemobackupcontainer --storage-container-SAS-token $sas --backup-folder mhsm-mhsmdemo-2020083120161860
Next Steps
- See Manage a Managed HSM using the Azure CLI.
- Learn more about Managed HSM Security Domain
Feedback
Submit and view feedback for