Manage Trusted launch Arc VM guest state protection key on Azure Stack HCI, version 23H2
Applies to: Azure Stack HCI, version 23H2
This article describes how to manage a Trusted launch Arc VM guest state protection key on Azure Stack HCI.
A VM guest state protection key is used to protect the VM guest state, like the vTPM state, while at rest in storage. It's not possible to boot up a Trusted launch Arc VM without the guest state protection key. The key is stored in a key vault in the Azure Stack HCI cluster where the VM is located.
Export and import the VM
The first step is to export the VM from the source Azure Stack HCI cluster and then import it into the target Azure Stack HCI cluster.
To export the VM from the source cluster, see Export-VM (Hyper-V).
To import the VM to the target cluster, see Import-VM (Hyper-V).
Transfer the VM guest state protection key
After you have exported and then imported the VM, use the following steps to transfer the VM guest state protection key from the source Azure Stack HCI cluster to the target Azure Stack HCI cluster:
1. On the target Azure Stack HCI cluster
Run the following commands from the target Azure Stack HCI cluster.
Sign into the key vault using administrative privileges.
mocctl.exe security login --identity --loginpath (Get-MocConfig).mocLoginYAML --cloudFqdn (Get-MocConfig).cloudFqdnCreate a master key in the target key vault. Run the following command.
mocctl.exe security keyvault key create --location VirtualMachineLocation --group AzureStackHostAttestation --vault-name AzureStackTvmKeyVault --key-size 2048 --key-type RSA --name masterDownload the Privacy Enhanced Mail (PEM) file.
mocctl.exe security keyvault key download --name master --file-path C:\master.pem --vault-name AzureStackTvmKeyVault
2. On the source Azure Stack HCI cluster
Run the following commands from the source Azure Stack HCI cluster.
Copy the PEM file from the target cluster to the source cluster.
Run the following cmdlet to determine the ID of the VM.
(Get-VM -Name <vmName>).vmidSign into the key vault using administrative privileges.
mocctl.exe security login --identity --loginpath (Get-MocConfig).mocLoginYAML --cloudFqdn (Get-MocConfig).cloudFqdnExport the VM guest state protection key for the VM.
mocctl.exe security keyvault key export --vault-name AzureStackTvmKeyVault --name <vmID> --wrapping-pub-key-file C:\master.pem --out-file C:\<vmID>.json
3. On the target Azure Stack HCI cluster
Run the following commands from the target Azure Stack HCI cluster:
Copy the
vmIDandvmID.jsonfile from the source cluster to the target cluster.Import the VM guest state protection key for the VM.
mocctl.exe security keyvault key import --key-file-path C:\<vmID>.json --name <vmID> --vault-name AzureStackTvmKeyVault --wrapping-key-name master --key-type AES --key-size 256
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for