Azure Key Vault recovery management with soft delete and purge protection

This article covers two recovery features of Azure Key Vault, soft delete and purge protection. This document provides an overview of these features, and shows you how to manage them through the Azure portal, Azure CLI, and Azure PowerShell.

Important

If a key vault does not have soft-delete protection enabled, deleting a key deletes it permanently. Customers are strongly encouraged to turn on soft delete enforcement for their vaults via Azure Policy.

For more information about Key Vault, see

Prerequisites

  • An Azure subscription - Create a trial subscription

  • Azure PowerShell.

  • Azure CLI

  • A Key Vault - you can create one using Azure portal Azure CLI, or Azure PowerShell

  • The user needs the following permissions (at subscription level) to perform operations on soft-deleted vaults:

    Permission Description
    Microsoft.KeyVault/locations/deletedVaults/read View the properties of a soft deleted key vault
    Microsoft.KeyVault/locations/deletedVaults/purge/action Purge a soft deleted key vault
    Microsoft.KeyVault/locations/operationResults/read To check purging state of vault
    Key Vault Contributor To recover soft-deleted vault

What are soft-delete and purge protection

Soft delete and purge protection are two different key vault recovery features.

Soft delete is designed to prevent accidental deletion of your key vault and keys, secrets, and certificates stored inside key vault. Think of soft-delete like a recycle bin. When you delete a key vault or a key vault object, it remains recoverable for a user configurable retention period or a default of 90 days. Key vaults in the soft deleted state can also be purged (permanently deleted), allowing you to recreate key vaults and key vault objects with the same name. Both recovering and deleting key vaults and objects require elevated access policy permissions. Once soft delete has been enabled, it cannot be disabled.

It is important to note that key vault names are globally unique, so you aren't able to create a key vault with the same name as a key vault in the soft deleted state. Similarly, the names of keys, secrets, and certificates are unique within a key vault. You aren't able to create a secret, key, or certificate with the same name as another in the soft deleted state.

Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. Think of it as a recycle bin with a time based lock. You can recover items at any point during the configurable retention period. You will not be able to permanently delete or purge a key vault until the retention period elapses. Once the retention period elapses the key vault or key vault object is purged automatically.

Note

Purge Protection is designed so that no administrator role or permission can override, disable, or circumvent purge protection. When purge protection is enabled, it cannot be disabled or overridden by anyone including Microsoft. This means you must recover a deleted key vault or wait for the retention period to elapse before reusing the key vault name.

For more information about soft-delete, see Azure Key Vault soft-delete overview

Verify if soft delete is enabled on a key vault and enable soft delete

  1. Sign in to the Azure portal.
  2. Select your key vault.
  3. Select the "Properties" blade.
  4. Verify if the radio button next to soft-delete is set to "Enable Recovery".
  5. If soft-delete is not enabled on the key vault, select the radio button to enable soft delete and select "Save".

On Properties, Soft-delete is highlighted, as is the value to enable it.

Grant access to a service principal to purge and recover deleted secrets

  1. Sign in to the Azure portal.
  2. Select your key vault.
  3. Select the "Access Policy" blade.
  4. In the table, find the row of the security principal you wish to grant access to (or add a new security principal).
  5. Select the drop-down for keys, certificates, and secrets.
  6. Scroll to the bottom of the drop-down and select "Recover" and "Purge"
  7. Security principals also need "get" and "list" functionality to perform most operations.

In the left navigation pane, Access policies is highlighted. On Access policies, the Secret Positions drop-down list is shown, and four items are selected: Get, List, Recover, and Purge.

List, recover, or purge a soft-deleted key vault

  1. Sign in to the Azure portal.
  2. Select the search bar at the top of the page.
  3. Search for the "Key Vault" service. Do not select an individual key vault.
  4. At the top of the screen, select the option to "Manage deleted vaults"
  5. A context pane opens on the right side of your screen.
  6. Select your subscription.
  7. If your key vault has been soft deleted, it appears in the context pane on the right.
  8. If there are too many vaults, you can either select "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
  9. Once you find the vault you wish to recover or purge, select the checkbox next to it.
  10. Select the recover option at the bottom of the context pane if you would like to recover the key vault.
  11. Select the purge option if you would like to permanently delete the key vault.

On Key vaults, the Manage deleted vaults option is highlighted.

On Manage deleted key vaults, the only listed key vault is highlighted and selected, and the Recover button is highlighted.

List, recover or purge soft deleted secrets, keys, and certificates

  1. Sign in to the Azure portal.
  2. Select your key vault.
  3. Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
  4. At the top of the screen, select "Manage deleted (keys, secrets, or certificates)
  5. A context pane appears on the right side of your screen.
  6. If your secret, key, or certificate does not appear in the list, it is not in the soft-deleted state.
  7. Select the secret, key, or certificate you would like to manage.
  8. Select the option to recover or purge at the bottom of the context pane.

On Keys, the Manage deleted keys option is highlighted.

Next steps