Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. Volume encryption in NetBackup Snapshot Manager for cloud
  5. Volume encryption for Azure
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Volume encryption for Azure

You can encrypt disks in Azure using the following methods:

  • Default encryption, using Platform Managed Key (PMK)

  • Customer Managed Key (CMK) using Azure Key vault

  • Double Encryption at rest

For more information on Azure encryption, refer to 'Data encryption models' section of Microsoft Azure documentation.

Table: Encryption for creating snapshots

Disk encryption

Snapshot encryption

Platform Managed Key (PMK)

Same PMK is used as the source disk.

Customer Managed Key (CMK)

Same CMK is used as the source disk.

Double Encryption (PMK_CMK)

Same CMK is used as the source disk.

Table: Encryption for restoring snapshots

Snapshot encryption

Restored disk encryption

PMK

Same PMK is used as the snapshot.

CMK

Same CMK is used as the snapshot.

PMK_CMK

Same CMK is used as the snapshot.

Table: Encryption for restoring from backup

Snapshot encryption

Restored disk encryption

PMK

Same PMK is used as the source disk.

CMK

Same CMK is used as the source disk.

PMK_CMK

Same CMK is used as the source disk, else PMK is used.

Table: Encryption during VM restore from snapshot or backup

Snapshot encryption

Restored disk encryption

PMK

Encryption on disk can be PMK/CMK as per user selection during restore.

CMK

Encryption on disk can be PMK/CMK as per user selection during restore.

PMK_CMK

Encryption on disk can be PMK/CMK/PMK_CMK as per user selection during restore.

Assigning permissions to key vault used for encryption

To enable restore from snapshot or backups of VM with CMK encrypted disks, assign the following permissions to the key vault used for encryption:

  1. Create new access policy in the desired Key Vault.

    For more information on Key Vault access policy, refer to 'Assign a Key Vault access policy' section of Microsoft Azure documentation.

  2. Add the following permissions under Permissions tab from the respective sections under Key Permissions:

    Section

    Permission

    Key Management Operations

    Get

    Cryptographic Operations

    Wrap Key

    Unwrap Key

  3. In the Principal tab, select Object ID of service principal used in provider configuration.

  4. Review and create access policy.

  5. Follow Step 1 to Step 4 to assign same permissions for the ObjectID of service principal of Disk Encryption Set.

Key vault: Azure role-based access control permission

When key vault is created with Azure role-based access control permission model:

  1. Add a role with Key Vault Reader permission and assign application service principal to it.

  2. Similarly add Key Vault Secrets Officer permission and assign application service principal to it.

    For more information refer to 'Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control' section of Microsoft Azure documentation.

System managed identity: Enabled

If system managed identity is enabled on NetBackup Snapshot Manager, assign the following roles to the managed identity:

Role

Managed identity

Key Vault Reader

Virtual machine scale set

Key Vault Secrets officer

Virtual machine scale set

Key Vault Crypto Service Encryption User

App (Disk Encryption Set)

User managed identity: Enabled

If user managed identity is enabled on NetBackup Snapshot Manager, then assign the Key Vault Crypto Service Encryption User role to the user managed identity in the key vault.

Feedback

Was this page helpful?
Previous

About volume encryption support in NetBackup Snapshot Manager

Next

Volume encryption for GCP

Feedback

Was this page helpful?