Azure Backup allows you to use your own encryption keys to secure backup data. This feature is available for Recovery Services Vaults and is enhanced for Backup Vaults. Customer Managed Keys (CMK) can be used to create a new backup vault or to adjust the encryption parameters of an existing vault.

The encryption key that you use to encrypt backups may differ from the one you use for the source. An AES 256-based data encryption key (DEK) helps to protect the data. Your key encryption keys (KEKs) also contribute to the DEK’s security. You have complete control over the data and keys.