对所有 Key Vault 启用软删除Soft-delete will be enabled on all key vaults

警告

中断性变更:选择退出软删除功能将于今年年底弃用,所有 Key Vault 的软删除保护将自动启用。Breaking Change: The ability to opt out of soft-delete will be deprecated by the end of the year and soft-delete protection will automatically be turned on for all key vaults. Azure Key Vault 用户和管理员应立即对其 Key Vault 启用软删除。Azure Key Vault users and administrators should enable soft-delete on their key vaults immediately.

如果在没有软删除保护的情况下从 Key Vault 中删除机密,则该机密将被永久删除。When a secret is deleted from a key vault without soft-delete protection, the secret is permanently deleted. 用户当前可以在创建 Key Vault 期间选择退出软删除,但是为了防止用户意外或恶意删除你的机密,Microsoft 不久将对所有 Key Vault 启用软删除保护,而用户将不再能够选择退出或关闭软删除。Users can currently opt out of soft-delete during key vault creation but, to protect your secrets from accidental or malicious deletion by a user, Microsoft will soon enable soft-delete protection on all key vaults, and users will no longer have the option to opt out or turn soft-delete off.

<替换文字>

有关软删除功能的完整详细信息,请参阅 Azure Key Vault 软删除概述For full details on the soft-delete functionality, see Azure Key Vault soft-delete overview.

我如何应对中断性变更How do I respond to breaking changes

不能创建与“已软删除”状态下的 Key Vault 对象同名的 Key Vault 对象。A key vault object cannot be created with the same name as a key vault object in the soft-deleted state. 例如,如果你在 Key Vault A 中删除名为 test key 的密钥,则在已软删除的 test key 对象被清除之前,你无法在 Key Vault A 中创建名为 test key 的新密钥。For example, if you delete a key named test key in key vault A, you will not be able to create a new key named test key in key vault A until the soft-deleted test key object is purged.

应用程序更改Application changes

如果应用程序假设未启用软删除,并且希望已删除的机密或 Key Vault 名称可立即重复使用,则应用程序逻辑将需要进行以下更改才能采用此更改。If your application assumes that soft-delete is not enabled and expects that deleted secret or key vault names are available for immediate reuse, your application logic will need to make the following changes in order to adopt this change.

  1. 删除原始 Key Vault 或机密Delete the original key vault or secret
  2. 清除“已软删除”状态下的 Key Vault 或机密。Purge the key vault or secret in the soft-deleted state.
  3. 等待 - 立即重新创建可能会导致冲突。Wait – immediate recreate may result in a conflict.
  4. 重新创建具有相同名称的 Key Vault。Re-create the key vault with the same name.
  5. 如果创建操作仍然导致名称冲突错误,请实现重试,在最坏的情况下,DNS 记录更新最多可能需要 10 分钟。Implement re-try if the create operation still results in a name conflict error, it may take up to 10 minutes for DNS records to update in the worst-case scenario.

管理更改Administration changes

需要访问永久删除机密的安全主体必须获授额外的访问策略权限才能清除这些机密和 Key Vault。Security principals that need access to permanently delete secrets must be granted additional access policy permissions to purge these secrets and the key vault.

如果你对 Key Vault 实施了一个要求关闭软删除的 Azure Policy,则需要禁用此策略。If you have an Azure Policy on your key vaults that mandates that soft-delete is turned off, this policy will need to be disabled. 你可能需要将此问题上报给控制应用于环境的 Azure Policy 的管理员。You may need to escalate this issue to an administrator that controls Azure Policies applied to your environment. 如果未禁用此策略,你可能无法在所应用策略范围内创建新的 Key Vault。If this policy is not disabled, you may lose the ability to create new key vaults in the scope of the applied policy.

如果你的组织受到法律合规性要求的约束,并且不允许已删除的 Key Vault 和机密长时间保持可恢复状态,则你必须调整软删除的保持期,该期限可以在 7 到 90 天之间进行配置,以满足你组织的标准。If your organization is subject to legal compliance requirements and cannot allow deleted key vaults and secrets to remain in a recoverable state, for an extended period of time, you will have to adjust the retention period of soft-delete, which is configurable between 7 – 90 days, to meet your organization’s standards.

过程Procedures

审核 Key Vault,检查是否启用了软删除Audit your key vaults to check if soft-delete is enabled

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 搜索“Azure Policy”。Search for "Azure Policy".
  3. 选择“定义”。Select "Definitions".
  4. 在“类别”下,选择筛选器中的“Key Vault”。Under Category, select "Key Vault" in the filter.
  5. 选择“Key Vault 对象应可恢复”策略。Select the "Key Vault Objects Should Be Recoverable" policy.
  6. 单击“分配”。Click "Assign".
  7. 将范围设置为你的订阅。Set the scope to your subscription.
  8. 选择“查看 + 创建”。Select "Review + Create".
  9. 最多需要 24 小时才能完成环境的完整扫描。In can take up to 24 hours for a full scan of your environment to complete.
  10. 在“Azure Policy”边栏选项卡中,单击“合规性”。In the Azure Policy Blade, click "Compliance".
  11. 选择应用的策略。Select the policy you applied.

现在,你应该能够筛选并查看启用了软删除的 Key Vault(合规资源)以及未启用软删除的 Key Vault(不合规资源)。You should now be able to filter and see which of your key vaults have soft-delete enabled (compliant resources) and which key vaults do not have soft-delete enabled (non-compliant resources).

对现有的 Key Vault 启用软删除Turn on Soft Delete for an existing key vault

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 搜索 Key Vault。Search for your Key Vault.
  3. 选择设置下的“属性”。Select "Properties" under settings.
  4. 在“软删除”下,选择与“启用对此保管库及其对象的恢复”。Under Soft-Delete, select the radio button corresponding to "Enable recovery of this vault and its objects".
  5. 设置软删除的保持期。Set the retention period for soft-delete.
  6. 选择“保存”。Select "Save".

向安全主体授予清除访问策略权限Grant purge access policy permissions to a security principal

  1. 登录到 Azure 门户。Log in to the Azure portal.
  2. 搜索 Key Vault。Search for your Key Vault.
  3. 选择设置下的“访问策略”。Select "Access Policies" under settings.
  4. 选择要授予访问权限的服务主体。Select the service principal you would like to grant access to.
  5. 对于密钥、机密和证书权限下的每个下拉列表,请向下滚动到“特权操作”,然后选择“清除”权限。For each dropdown under key, secret, and certificate permissions scroll down to "Privileged Operations" and select the "Purge" permission.

常见问题Frequently asked questions

此更改是否会对我产生影响?Does this change affect me?

如果你已启用软删除,或者没有删除并重新创建同名的 Key Vault 对象,则可能不会注意到 Key Vault 的行为发生任何更改。If you already have soft-delete turned on or if you do not delete and recreate key vault objects with the same name, you likely will not notice any change in the behavior of key vault.

如果你的应用程序经常删除和重新创建具有相同命名约定的 Key Vault 对象,则你必须在应用程序逻辑中进行更改,以保持预期的行为。If you have an application that deletes and recreates key vault objects with the same naming conventions frequently, you will have to make changes in your application logic to maintain expected behavior. 请参阅上面的“我如何应对中断性变更?”Please see the "How do I respond to breaking changes?" 一节。section above.

我如何从这一更改中获益?How do I benefit from this change?

软删除保护将为你的组织提供额外的保护层,以防止意外或恶意删除。Soft delete protection will provide your organization with an additional layer of protection against accidental or malicious deletion. Key Vault 管理员可以限制对恢复权限和清除权限的访问。As a key vault administrator, you can restrict access to both recover permissions and purge permissions.

如果用户意外地删除了 Key Vault 或机密,你可以授予他们访问权限以自行恢复机密,而不会造成他们永久删除机密或 Key Vault 的风险。If a user accidentally deletes a key vault or secret, you can grant them access permissions to recover the secret themselves without creating a risk that they permanently delete the secret or key vault. 此自助式过程将最大程度地减少环境中的停机时间,并保证机密的可用性。This self-serve process will minimize down-time in your environment and guarantee the availability of your secrets.

如何确定我是否需要采取措施?How do I find out if I need to take action?

请按照上面标题为“审核 Key Vault 以检查软删除是否已启用的过程”一节中的步骤进行操作。Please follow the steps above in the section titled "Procedure to Audit Your Key Vaults to Check If Soft-Delete Is On". 任何未启用软删除的 Key Vault 都将受到此更改的影响。Any key vault that does not have soft-delete turned on will be affected by this change. 其他有助于审核的工具将很快推出,本文档将进行更新。Additional tools to help audit will be available soon, and this document will be updated.

我需要采取哪些措施?What action do I need to take?

确保无需更改应用程序逻辑。Make sure that you do not have to make changes to your application logic. 确认后,对所有 Key Vault 启用软删除。Once you have confirmed that, turn on soft-delete on all your key vaults. 这样可以确保在年底对所有 Key Vault 启用软删除时,你不会受到中断性变更的影响。This will make sure that you will not be affected by a breaking change when soft-delete is turned on for all key vaults at the end of the year.

什么时候需要措施?By when do I need to take action?

今年年底我们将对所有 Key Vault 启用软删除。Soft delete will be turned on for all key vaults by the end of the year. 为确保你的应用程序不受影响,请尽快对 Key Vault 启用软删除。To make sure that your applications are not affected, turn on soft-delete on your key vaults as soon as possible.

如果我不采取任何措施将会怎样?What will happen if I don’t take any action?

如果你不采取任何措施,则到今年年底我们将对所有 Key Vault 自动启用软删除。If you do not take any action, soft-delete will automatically be turned on for all of your key vaults at the end of the year. 如果你尝试删除一个 Key Vault 对象并使用相同的名称重新创建它,而不先将其从“已软删除”状态中清除,这可能会导致冲突错误。This may result in conflict errors if you attempt to delete a key vault object and recreate it with the same name without purging it from the soft-deleted state first. 这可能会导致应用程序或自动化失败。This may cause your applications or automation to fail.

后续步骤Next steps