Azure Key Vault recovery management with soft delete and purge protection

This article covers two recovery features of Azure Key Vault, soft delete and purge protection. This document provides an overview of these features, and shows you how to manage them through the Azure portal, Azure CLI, and Azure PowerShell.

For more information about Key Vault, see

Prerequisites

  • An Azure subscription - create one for free

  • PowerShell module.

  • Azure CLI

  • A Key Vault - you can create one using Azure portal Azure CLI, or Azure PowerShell

  • The user will need the following permissions (at subscription level) to perform operations on soft-deleted vaults:

    Permission Description
    Microsoft.KeyVault/locations/deletedVaults/read View the properties of a soft deleted key vault
    Microsoft.KeyVault/locations/deletedVaults/purge/action Purge a soft deleted key vault
    Microsoft.KeyVault/locations/operationResults/read To check purging state of vault
    Key Vault Contributor To recover soft-deleted vault

What are soft-delete and purge protection

Soft delete and purge protection are two different key vault recovery features.

Important

Turning on soft delete is critical to ensuring that your key vaults and credentials are protected from accidental deletion. However, turning on soft delete is considered a breaking change because it may require you to change your application logic or provide additional permissions to your service principals. Before turning on soft delete using the instructions below, please make sure that your application is compatible with the change using this document here.

Soft delete is designed to prevent accidental deletion of your key vault and keys, secrets, and certificates stored inside key vault. Think of soft-delete like a recycle bin. When you delete a key vault or a key vault object, it will remain recoverable for a user configurable retention period or a default of 90 days. Key vaults in the soft deleted state can also be purged which means they are permanently deleted. This allows you to recreate key vaults and key vault objects with the same name. Both recovering and deleting key vaults and objects require elevated access policy permissions. Once soft delete has been enabled, it cannot be disabled.

It is important to note that key vault names are globally unique, so you won't be able to create a key vault with the same name as a key vault in the soft deleted state. Similarly, the names of keys, secrets, and certificates are unique within a key vault. You won't be able to create a secret, key, or certificate with the same name as another in the soft deleted state.

Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. Think of this as a recycle bin with a time based lock. You can recover items at any point during the configurable retention period. You will not be able to permanently delete or purge a key vault until the retention period elapses. Once the retention period elapses the key vault or key vault object will be purged automatically.

Note

Purge Protection is designed so that no administrator role or permission can override, disable, or circumvent purge protection. Once purge protection is enabled, it cannot be disabled or overridden by anyone including Microsoft. This means you must recover a deleted key vault or wait for the retention period to elapse before reusing the key vault name.

For more information about soft-delete, see Azure Key Vault soft-delete overview

Verify if soft delete is enabled on a key vault and enable soft delete

  1. Log in to the Azure portal.
  2. Select your key vault.
  3. Click on the "Properties" blade.
  4. Verify if the radio button next to soft-delete is set to "Enable Recovery".
  5. If soft-delete is not enabled on the key vault, click the radio button to enable soft delete and click "Save".

On Properties, Soft-delete is highlighted, as is the value to enable it.

Grant access to a service principal to purge and recover deleted secrets

  1. Log in to the Azure portal.
  2. Select your key vault.
  3. Click on the "Access Policy" blade.
  4. In the table, find the row of the security principal you wish to grant access to (or add a new security principal).
  5. Click the drop down for keys, certificates, and secrets.
  6. Scroll to the bottom of the drop-down and click "Recover" and "Purge"
  7. Security principals will also need get and list functionality to perform most operations.

In the left navigation pane, Access policies is highlighted. On Access policies, the Secret Positions drop-down list is shown, and four items are selected: Get, List, Recover, and Purge.

List, recover, or purge a soft-deleted key vault

  1. Log in to the Azure portal.
  2. Click on the search bar at the top of the page.
  3. Under "Recent Services" click "Key Vault". Do not click an individual key vault.
  4. At the top of the screen click the option to "Manage deleted vaults"
  5. A context pane will open on the right side of your screen.
  6. Select your subscription.
  7. If your key vault has been soft deleted it will appear in the context pane on the right.
  8. If there are too many vaults, you can either click "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
  9. Once you find the vault you wish to recover or purge, select the checkbox next to it.
  10. Select the recover option at the bottom of the context pane if you would like to recover the key vault.
  11. Select the purge option if you would like to permanently delete the key vault.

On Key vaults, the Manage deleted vaults option is highlighted.

On Manage deleted key vaults, the only listed key vault is highlighted and selected, and the Recover button is highlighted.

List, recover or purge soft deleted secrets, keys, and certificates

  1. Log in to the Azure portal.
  2. Select your key vault.
  3. Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
  4. At the top of the screen, click on "Manage deleted (keys, secrets, or certificates)
  5. A context pane will appear on the right side of your screen.
  6. If your secret, key, or certificate does not appear in the list, it is not in the soft-deleted state.
  7. Select the secret, key, or certificate you would like to manage.
  8. Select the option to recover or purge at the bottom of the context pane.

On Keys, the Manage deleted keys option is highlighted.

Next steps