Save-ShieldedVMRecoveryKey
Extracts the encrypted BitLocker recovery key from a shielded virtual machine's operating system disk.
Syntax
VHDParameterSet (Default)
Save-ShieldedVMRecoveryKey
-VHDPath <String>
-Path <String>
[-Force]
[-WhatIf]
[-Confirm]
DiskNumberParameterSet
Save-ShieldedVMRecoveryKey
-DiskNumber <Int32>
-Path <String>
[-Force]
[-WhatIf]
[-Confirm]
Description
The Save-ShieldedVMRecoveryKey cmdlet is used to extract the encrypted BitLocker recovery key from a shielded virtual machine's operaing system disk.
The key can be obtained from an offline VHDX or an online, mounted disk.
The encrypted recovery key can be passed to the Unprotect-ShieldedVMRecoveryKey cmdlet to decrypt the recovery key.
This cmdlet only works with Windows shielded VMs created with a shielding data file created on Windows Server, version 1709 or newer.
Examples
Example 1
PS C:\> Save-ShieldedVMRecoveryKey -VHDPath 'C:\temp\MyShieldedVM.vhdx' -Path 'C:\temp\MyShieldedVMEncryptedRecoveryKey.ebek'
Extracts the encrypted recovery key from the "MyShieldedVM.vhdx" file and saves it to the temp directory.
Example 1
PS C:\> Save-ShieldedVMRecoveryKey -DiskNumber 1 -Path 'C:\temp\MyShieldedVMEncryptedRecoveryKey.ebek'
Extracts the encrypted recovery key from the second disk (disk number 1) mounted on the system, and saves the recovery key to the temp directory.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DiskNumber
Identifier for the mounted disk containing the OS partition of a Windows shielded VM
Parameter properties
Type: Int32
Default value: None Supports wildcards: False DontShow: False
Parameter sets
DiskNumberParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Force
Overwrites the encrypted recovery key file located at the specified path
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Path
Location to save the encrypted recovery key
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-VHDPath
Location of the VHDX file for a Windows shielded VM to be searched for an encrypted recovery key
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
VHDParameterSet
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
None
Outputs
None