带软删除和清除保护功能的 Azure Key Vault 恢复管理Azure Key Vault recovery management with soft delete and purge protection

本文介绍了 Azure Key Vault 的两项恢复功能:软删除和清除保护。This article covers two recovery features of Azure Key Vault, soft delete and purge protection. 本文档概述了这两项功能,并演示了如何通过 Azure 门户、Azure CLI 和 Azure PowerShell 对其进行管理。This document provides an overview of these features, and shows you how to manage them through the Azure portal, Azure CLI, and Azure PowerShell.

有关 Key Vault 的详细信息,请参阅For more information about Key Vault, see

先决条件Prerequisites

  • Azure 订阅 - 创建一个An Azure subscription - create one
  • PowerShell 模块PowerShell module.
  • Azure CLIAzure CLI
  • Key Vault - 可以使用 Azure 门户Azure CLIAzure PowerShell 进行创建A Key Vault - you can create one using Azure portal Azure CLI, or Azure PowerShell
  • 用户需要具有以下权限(在订阅级别)才能对软删除的保管库执行操作:|Microsoft.KeyVault/locations/deletedVaults/read|查看软删除的密钥保管库的属性| |Microsoft.KeyVault/locations/deletedVaults/purge/action|清除软删除的密钥保管库|The user will need the following permissions (at subscription level) to perform operations on soft-deleted vaults: |Microsoft.KeyVault/locations/deletedVaults/read|View the properties of a soft deleted key vault| |Microsoft.KeyVault/locations/deletedVaults/purge/action|Purge a soft deleted key vault|

什么是软删除和清除保护What are soft-delete and purge protection

软删除和清除保护是两项不同的密钥保管库恢复功能。Soft delete and purge protection are two different key vault recovery features.

重要

启用软删除对于确保密钥保管库和凭据不被意外删除至关重要。Turning on soft delete is critical to ensuring that your key vaults and credentials are protected from accidental deletion. 但是,启用软删除被视为中断性变更,因为它可能要求你更改应用程序逻辑或为服务主体提供额外的权限。However, turning on soft delete is considered a breaking change because it may require you to change your application logic or provide additional permissions to your service principals. 根据以下说明启用软删除之前,请参阅此处的这个文档,确保你的应用程序与此变更兼容。Before turning on soft delete using the instructions below, please make sure that your application is compatible with the change using this document here.

“软删除”旨在防止意外删除密钥保管库以及存储在密钥保管库中的密钥、机密以及证书。Soft delete is designed to prevent accidental deletion of your key vault and keys, secrets, and certificates stored inside key vault. 可以将软删除视为回收站。Think of soft-delete like a recycle bin. 密钥保管库或密钥保管库对象在删除后,会在可供用户配置的保持期内或默认的 90 天内保持可恢复状态。When you delete a key vault or a key vault object, it will remain recoverable for a user configurable retention period or a default of 90 days. 还可以清除处于软删除状态的密钥保管库,这意味着它们会被永久删除。Key vaults in the soft deleted state can also be purged which means they are permanently deleted. 这样便可以重新创建具有相同名称的密钥保管库和密钥保管库对象。This allows you to recreate key vaults and key vault objects with the same name. 恢复和删除密钥保管库与对象都需要提升的访问策略权限。Both recovering and deleting key vaults and objects require elevated access policy permissions. 软删除一旦启用就无法禁用。Once soft delete has been enabled, it cannot be disabled.

必须注意的是,密钥保管库名称是全局独一无二的,因此你无法创建与处于软删除状态的密钥保管库同名的密钥保管库。It is important to note that key vault names are globally unique, so you won't be able to create a key vault with the same name as a key vault in the soft deleted state. 类似地,密钥、机密和证书的名称在密钥保管库中是独一无二的。Similarly, the names of keys, secrets, and certificates are unique within a key vault. 你将无法使用处于软删除状态的机密、密钥或证书的名称创建另一个机密、密钥或证书。You won't be able to create a secret, key, or certificate with the same name as another in the soft deleted state.

“清除保护”旨在防止恶意内部成员删除你的密钥保管库、密钥、机密和证书。Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. 可以将此视为一个带有基于时间的锁的回收站。Think of this as a recycle bin with a time based lock. 你可以在可配置的保持期内随时恢复项。You can recover items at any point during the configurable retention period. 在保持期结束之前,你将无法永久删除或清除密钥保管库。You will not be able to permanently delete or purge a key vault until the retention period elapses. 保持期结束后,系统会自动清除密钥保管库或密钥保管库对象。Once the retention period elapses the key vault or key vault object will be purged automatically.

备注

“清除保护”旨在使管理员角色或权限不能重写、禁用或绕过清除保护。Purge Protection is designed so that no administrator role or permission can override, disable, or circumvent purge protection. 一旦启用清除保护,任何人(包括 Microsoft)都不能禁用或重写它。Once purge protection is enabled, it cannot be disabled or overridden by anyone including Microsoft. 这意味着,在重复使用密钥保管库名称之前,必须恢复已删除的密钥保管库或等待保持期结束。This means you must recover a deleted key vault or wait for the retention period to elapse before reusing the key vault name.

有关软删除的详细信息,请参阅 Azure Key Vault 软删除概述For more information about soft-delete, see Azure Key Vault soft-delete overview

验证是否对密钥保管库启用了软删除,并在未启用软删除的情况下将其启用Verify if soft delete is enabled on a key vault and enable soft delete

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 选择密钥保管库。Select your key vault.
  3. 单击“属性”边栏选项卡。Click on the "Properties" blade.
  4. 验证软删除旁边的单选按钮是否已设置为“启用恢复”。Verify if the radio button next to soft-delete is set to "Enable Recovery".
  5. 如果未对密钥保管库启用软删除,请单击该单选按钮以启用软删除,然后单击“保存”。If soft-delete is not enabled on the key vault, click the radio button to enable soft delete and click "Save".

在“属性”上突出显示了“软删除”,这是用于启用它的值。

向服务主体授予清除和恢复已删除机密所需的访问权限Grant access to a service principal to purge and recover deleted secrets

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 选择密钥保管库。Select your key vault.
  3. 单击“访问策略”边栏选项卡。Click on the "Access Policy" blade.
  4. 在表中,找到要授予其访问权限的安全主体所在的行(或添加新的安全主体)。In the table, find the row of the security principal you wish to grant access to (or add a new security principal).
  5. 单击密钥、证书和机密的下拉列表。Click the drop down for keys, certificates, and secrets.
  6. 滚动到下拉列表底部,然后单击“恢复”和“清除”Scroll to the bottom of the drop-down and click "Recover" and "Purge"
  7. 安全主体还需要“获取”和“列出”功能才能执行大多数操作。Security principals will also need get and list functionality to perform most operations.

在左侧的导航窗格中,突出显示了“访问策略”。在“访问策略”上,显示了“机密位置”下拉列表,并且选择了四个项:获取、列出、恢复和清除。

列出、恢复或清除软删除的密钥保管库List, recover, or purge a soft-deleted key vault

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 单击页面顶部的搜索栏。Click on the search bar at the top of the page.
  3. 在“最近使用的服务”下,单击“Key Vault”。Under "Recent Services" click "Key Vault". 不要单击单个密钥保管库。Do not click an individual key vault.
  4. 在屏幕顶部,单击“管理已删除的保管库”选项At the top of the screen click the option to "Manage deleted vaults"
  5. 此时会在屏幕右侧打开一个上下文窗格。A context pane will open on the right side of your screen.
  6. 选择订阅。Select your subscription.
  7. 如果你的密钥保管库已被软删除,则它会显示在右侧的上下文窗格中。If your key vault has been soft deleted it will appear in the context pane on the right.
  8. 如果保管库过多,可以单击上下文窗格底部的“加载更多”,也可以使用 CLI 或 PowerShell 来获取结果。If there are too many vaults, you can either click "Load More" at the bottom of the context pane or use CLI or PowerShell to get the results.
  9. 找到要恢复或清除的保管库后,选中其旁边的复选框。Once you find the vault you wish to recover or purge, select the checkbox next to it.
  10. 如果要恢复密钥保管库,请选择上下文窗格底部的“恢复”选项。Select the recover option at the bottom of the context pane if you would like to recover the key vault.
  11. 如果要永久删除密钥保管库,请选择“清除”选项。Select the purge option if you would like to permanently delete the key vault.

在“密钥保管库”上,突出显示了“管理删除的保管库”选项。

在“管理删除的密钥保管库”上,突出显示并选中了唯一列出的密钥保管库,并突出显示了“恢复”按钮。

列出、恢复或清除已软删除的机密、密钥和证书List, recover or purge soft deleted secrets, keys, and certificates

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 选择密钥保管库。Select your key vault.
  3. 选择与要管理的机密类型(密钥、机密或证书)对应的边栏选项卡。Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
  4. 在屏幕顶部,单击“管理已删除项(密钥、机密或证书)”At the top of the screen, click on "Manage deleted (keys, secrets, or certificates)
  5. 此时会在屏幕右侧显示一个上下文窗格。A context pane will appear on the right side of your screen.
  6. 如果机密、密钥或证书未显示在此列表中,则表明它没有处于软删除状态。If your secret, key, or certificate does not appear in the list, it is not in the soft-deleted state.
  7. 选择要管理的机密、密钥或证书。Select the secret, key, or certificate you would like to manage.
  8. 选择上下文窗格底部用于恢复或清除的选项。Select the option to recover or purge at the bottom of the context pane.

在“密钥”上,突出显示了“管理删除的密钥”选项。

后续步骤Next steps