Edit

Managed HSM soft-delete and purge protection

  • Article

This article describes two recovery features of Managed HSM: soft-delete and purge protection. It provides an overview of these features and demonstrates how to manage them by using the Azure CLI and Azure PowerShell.

For more information, see Managed HSM overview.

Prerequisites

What are soft-delete and purge protection?

Soft-delete and purge protection are recovery features.

Soft-delete is designed to prevent accidental deletion of your HSM and keys. Soft-delete works like a recycle bin. When you delete an HSM or a key, it will remain recoverable for a configurable retention period or for a default period of 90 days. HSMs and keys in the soft-deleted state can also be purged, which means they're permanently deleted. Purging allows you to re-create HSMs and keys with the same name as the purged item. Both recovering and deleting HSMs and keys require specific role assignments. Soft-delete can't be disabled.

Note

Because the underlying resources remain allocated to your HSM even when it's in a deleted state, the HSM resource will continue to accrue hourly charges while it's in that state.

Managed HSM names are globally unique in every cloud environment. So you can't create a managed HSM with the same name as one that exists in a soft-deleted state. Similarly, the names of keys are unique within an HSM. You can't create a key with the same name as one that exists in the soft-deleted state.

For more information, see Managed HSM soft-delete overview.

Purge protection is designed to prevent the deletion of your HSMs and keys by a malicious insider. It's like a recycle bin with a time-based lock. You can recover items at any point during the configurable retention period. You won't be able to permanently delete or purge an HSM or a key until the retention period ends. When the retention period ends, the HSM or key will be purged automatically.

Note

No administrator role or permission can override, disable, or circumvent purge protection. If purge protection is enabled, it can't be disabled or overridden by anyone, including Microsoft. So you must recover a deleted HSM or wait for the retention period to end before you can reuse the HSM name.

Manage keys and managed HSMs

Managed HSMs (CLI)

  • To check the status of soft-delete and purge protection for a managed HSM:

    az keyvault show --subscription {SUBSCRIPTION ID} -g {RESOURCE GROUP} --hsm-name {HSM NAME}

  • To delete an HSM:

    az keyvault delete --subscription {SUBSCRIPTION ID} -g {RESOURCE GROUP} --hsm-name {HSM NAME}

    This action is recoverable because soft-delete is on by default.

  • To list all soft-deleted HSMs:

    az keyvault list-deleted --subscription {SUBSCRIPTION ID} --resource-type hsm

  • To recover a soft-deleted HSM:

    az keyvault recover --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --location {LOCATION}

  • To purge a soft-deleted HSM:

    az keyvault purge --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --location {LOCATION}

    Warning

    This operation will permanently delete your HSM.

  • To enable purge protection on an HSM:

    az keyvault update-hsm --subscription {SUBSCRIPTION ID} -g {RESOURCE GROUP} --hsm-name {HSM NAME} --enable-purge-protection true

Keys (CLI)

  • To delete a key:

    az keyvault key delete --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --name {KEY NAME}

  • To list deleted keys:

    az keyvault key list-deleted --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME}

  • To recover a deleted key:

    az keyvault key recover --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --name {KEY NAME}

  • To purge a soft-deleted key:

    az keyvault key purge --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --name {KEY NAME}

    Warning

    This operation will permanently delete your key.

Next steps