Share via

When i try restarting the VM, am getting Key Vault "xxxxxx" does not exist.

Ishmael Omolo 0 Reputation points
2025-10-25T16:55:45.65+00:00

I found my VM stopped this is affecting everything for us right now. When i try restarting the VM. Am getting a failed error message that says "Key Vault "vault name" does not exist. Any response on how to fix the issue is highly appreciated.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azizkhon Ishankhonov 845 Reputation points
    2025-10-25T17:51:52.3966667+00:00

    This usually happens when:

    1. The Key Vault used for disk encryption (Azure Disk Encryption or Customer-Managed Keys for Managed Disks) was:
    • Deleted,
      • Moved to another subscription, or
      • Access revoked (permissions, managed identity, etc.).
    1. The VM depends on that vault to decrypt its OS or data disk — and without it, the VM cannot boot.

    Step-by-Step Fix

    Step 1 — Check whether the Key Vault really exists

    Run this in Azure Cloud Shell (or PowerShell locally with Az module):

    az keyvault show --name <vault-name> --resource-group <resource-group>

    If it returns details → the vault exists. If it says “not found” → the vault has been deleted or is in a different subscription/region.

    Step 2 — If the vault was deleted recently

    If the vault was soft-deleted, you can restore it:

    az keyvault recover --name <vault-name>

    Then verify:

    az keyvault show --name <vault-name>

    Step 3 — Check VM Disk Encryption Settings

    Find out if your VM is using Azure Disk Encryption (ADE):

    az vm show --name <vm-name> --resource-group <resource-group> --query "storageProfile.osDisk.encryptionSettings"

    If this shows encryption settings with a key URL pointing to the missing vault — that’s the cause.

    Step 4 — Restore access permissions

    If the Key Vault exists but the VM can’t access it:

    1. Go to Azure Portal → Key Vault → Access policies
    2. Ensure the VM’s Managed Identity or the Disk Encryption Set principal is listed.
      • Permissions required:
        • Get, Wrap Key, Unwrap Key, Get Secret
    3. Save the changes.

    You can also grant access with CLI:

    az keyvault set-policy \
  --name <vault-name> \
  --object-id <vm-managed-identity-id> \
  --key-permissions get wrapKey unwrapKey \
  --secret-permissions get

    Step 5 — Try to Start the VM Again

    Once Key Vault and permissions are restored:

    az vm start --name <vm-name> --resource-group <resource-group>

    Step 6 — If the Key Vault cannot be recovered

    If the Key Vault is permanently deleted and encryption keys are lost:

    • Unfortunately, the encrypted disks cannot be decrypted — the data is unrecoverable without the original keys.
    • Your only option is to redeploy from a backup, snapshot, or image if available.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.