Share via

Azure Backup Passphrase lost

Viknaraj Manogararajah 0 Reputation points MVP
2026-06-04T00:07:17.5466667+00:00

One of our servers experienced OS corruption and could not be recovered. As a result, the on-premises server had to be reinstalled. Unfortunately, the Azure Backup encryption passphrase was stored only on that server, and it has now been lost.

Is there any way to retrieve the passphrase from Azure?

As I understand, the passphrase is not stored in Azure and is available only on the original on-premises server. All backup data remains available in Azure Backup Services, and we need to recover the files from those backups. Please advise if there are any available recovery options.

Azure Backup
Azure Backup

An Azure backup service that provides built-in management at scale.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 14,435 Reputation points Microsoft External Staff Moderator
    2026-06-04T20:41:39.85+00:00

    Hello Viknaraj Manogararajah

    Could you please share us the below details?

    1. Is the original disk from the corrupted server still accessible?
      Even though the OS was reinstalled, can the old disk be mounted or attached to another machine to recover files?
    2. Is the OnlineBackup.KEK file available? Can you check if the file exists in the MARS agent scratch folder (C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch) on the original or recovered disk?
    3. Was the passphrase saved anywhere else? For example, in a password manager, shared drive, documented in any internal IT records, or emailed to anyone during the initial MARS agent setup?
    4. Was the passphrase stored in Azure Key Vault? Did you configure the MARS agent to save the passphrase to Azure Key Vault at any point?
    5. Is Enhanced Security enabled on the Recovery Services Vault? This will determine the registration flow if the KEK file workaround is attempted.

    The Azure Backup encryption passphrase is not stored in Azure, it exists only on the on-premises server. Microsoft does not have any copy of the passphrase or the encryption key, so it cannot be retrieved from Azure.

    However, before considering the data unrecoverable, please check if the original disk from the corrupted server is still accessible (even if the OS was reinstalled).

    If so, please look for the OnlineBackup.KEK file in the MARS agent scratch folder, typically located at C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch.

    Additionally, check if the DPAPI encryption key folders are intact under %USERPROFILE%\AppData\Roaming\Microsoft\Crypto and Protect or under C:\Windows\System32\Microsoft.

    If the OnlineBackup.KEK file is recoverable, there is a possible workaround:

    1. Set up a new machine with the same FQDN as the original server.
    2. Install the MARS agent and place the recovered OnlineBackup.KEK file in the scratch folder.
    3. Register the server to the vault.
    4. Once a new passphrase is set, you can perform a restore from the existing backup data.

    If the OnlineBackup.KEK file is not recoverable and the passphrase is also lost, unfortunately there is no way to decrypt or restore the backup data, as it is encrypted with AES-256 encryption.

    To avoid this situation going forward, we strongly recommend saving the MARS agent passphrase securely in Azure Key Vault.

    You can refer to this documentation for setup: Save and manage MARS agent passphrase securely in Azure Key Vault.

    Thanks,

    Suchitra.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Marcin Policht 92,045 Reputation points MVP Volunteer Moderator
    2026-06-04T00:42:47.1833333+00:00

    Nope - for Azure Backup using the Microsoft Azure Recovery Services (MARS) agent, the encryption passphrase is never uploaded to Azure and Microsoft cannot retrieve or reset it. The passphrase is generated and stored only locally unless you explicitly backed it up elsewhere. The backup data in the Recovery Services vault is encrypted with a key derived from that passphrase. Without the original passphrase, the recovery points in Azure are effectively unrecoverable.

    Your recovery options are limited to finding an existing copy of the passphrase or recovering it from remnants of the original system. Typical places to check include exported .txt passphrase files, password managers, documentation systems, administrator notes, backup software repositories, secure shares, USB exports, or printed records. If the failed server disks still exist, you may also attempt forensic recovery from the old OS volume or from system state backups.

    If the original server is partially recoverable, you can also look for the MARS agent configuration and credential remnants. You might want to check:

    C:\Program Files\Microsoft Azure Recovery Services Agent\
C:\Program Files\Microsoft Azure Backup Server\
C:\Windows\System32\Config\

    However, the actual passphrase is not stored in plaintext by Azure Backup, and there is no supported method to extract or decrypt it from Azure itself. So unfortuantely, if no copy of the passphrase exists, the data stored in the Azure Recovery Services vault cannot be restored.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.