This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 56.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Hello All,
We enabled ADE for OS+DATA disk for two VMs (RHEL8 - with no data disk attached) with same KEK, using
az vm encryption enable -n vmname -g rsgrp --key-encryption-key kek --disk-encryption-keyvault keyvault-name --volume-type ALL --encrypt-format-all
We tried rotating the KEK for the two VMs by calling the same command above again, now with a newer version of the same KEK. On doing so, we observed that after some time delay, two more secrets of type Wrapped BEKs in addition to existing ones are added for each VM (initially two Wrapped BEK secrets were present and after rotation of KEK it became six). We were expecting just one new secret. Unwrapped values of both the secrets were same. Now, even though the vm encryption status shows only one of those as the ADE secret (obtained by az vm encryption show -n vmname) . If we try to disable/delete the other newly obtained secret, the VM fails to start after a stop, citing "Failed to restart the virtual machine 'vmname'. Error: Error encountered when retrieving secret from the Key Vault with URL: https://kevaultname.vault.azure.net/secrets/secretname/secretversion. Make sure that the secret exists and Key Vault is enabled for volume encryption", even though the secret mentioned is very much present in the vault and is enabled.
Now, Questions are:
@Vasantha Raman A Firstly apologies for the delay response! I am check on this issue internally I will get back to you with the concrete update!
Thanks for your time and co-operation!
@Vasantha Raman A Just checking in to see if the above answer helped. If this answers your query, do click 
and 
for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
<<Private message note: This is a private message which only you as Original Poster and Microsoft Moderators can view. Please respond directly to this comment to privately share the requested information. For your privacy, please do not share any Personal Identifiable Information (PII) as a public or private comment. All the private messages on the platform will be deleted on periodic basis>>
,
@Vasantha Raman A Key rotation you should expect to see new secrets generated not only per VM but per volume, in some cases you will see new versions of the secret instead of new secrets, but at the end they are treated on a very similar way, the encryption settings on each drive will be updated to point to the new secrets.
If you so desire to clean up the KeyVault of unused secrets the recommendation is to check all the encryption settings of all the encrypted VMs and correlate with the current content of each specific KeyVault
so you can be sure that you are not deleting a secret or a particular version that is being used, then we strongly encourage you to take a backup of the secret just in case that a restore is needed,
after a secret deletion is a good idea to test out if the VM that was previously associated with it can safely be rebooted,
if not then the secret should be restored and then another case with us can be open to check the reason why the secret on the encryption settings was not updated.
We’re currently looking into the key rotation process and trying to identify any possible causes for your VMs to not start while deleting the secret that was not the one that is on the disk encryption settings for each individual disk.
About the costs, I checked and the information is publicly available here: https://azure.microsoft.com/en-us/pricing/details/key-vault/, the costs associated with secrets is based on secret operations, you can check the cost there by region and currency, if you need more details about that you can reach out to the sales team and they should be able to clarify.
Please let us know if you have any further queries. I’m happy to assist you further.
----------
Please do not forget to 
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
@Vasantha Raman A Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
When you perform the Key rotation, a new secret will be added, and what it seems to be happening on a preliminary inspection is that you are getting one secret per volume type after the key rotation, the new secrets are associated with each individual disk and should not be deleted, that will prevent Azure to actually start the VM.
You can check which secret and key are associated with each individual disk by executing the commands posted here: https://video2.skills-academy.com/en-us/azure/virtual-machines/linux/how-to-verify-encryption-status#single-pass-1 the newly created secret and Key should always exists and be valid, enabled.
Currently the Key rotation process doesn’t delete the Keys nor secrets on the Key vault and that is to prevent breaking other resources that may be using that Key or Secret, You should be able to delete a secret that is not associated with any VM and that will not brake any VM or prevent it from booting.
Are you trying to delete the newly created secret and that would be reason for VMs are breaking.
Please let us know if you have any further queries. I’m happy to assist you further.
----------
Please do not forget to 
and 
” wherever the information provided helps you, this can be beneficial to other community members.
@Sumarigo-MSFT , Hello and thank you for the response. The VMs in our case, has only OS disk, temporary disk and no additional data disks attached, and on performing the operation in the documentation you shared, we get only one disk listed.
Also, on first time encryption for keyvault, we get only one secret per VM. It is after KEK rotation, that we face more than one secret emerging per VM. Since the output shows only one disk, we are right in expecting one secret per VM right?