对所有 Key Vault 启用软删除Soft-delete will be enabled on all key vaults

警告

中断性变更:即将弃用选择退出软删除的功能。Breaking change: the ability to opt out of soft-delete will be deprecated soon. Azure Key Vault 用户和管理员应立即对其 Key Vault 启用软删除。Azure Key Vault users and administrators should enable soft-delete on their key vaults immediately.

如果在没有软删除保护的情况下从 Key Vault 中删除机密,则该机密将被永久删除。When a secret is deleted from a key vault without soft-delete protection, the secret is permanently deleted. 在创建密钥保管库期间,用户当前可选择退出软删除。Users can currently opt out of soft-delete during key vault creation. 但是,Microsoft 即将对所有密钥保管库启用软删除保护,以防止用户意外或恶意删除机密。However, Microsoft will soon enable soft-delete protection on all key vaults to protect secrets from accidental or malicious deletion by a user. 用户将无法再选择退出或禁用软删除。Users will no longer be able to opt out of or turn off soft-delete.

示意图显示了在具有软删除保护与没有软删除保护的情况下如何删除密钥保管库。

有关软删除功能的完整详细信息,请参阅 Azure Key Vault 软删除概述For full details on the soft-delete functionality, see Azure Key Vault soft-delete overview.

启用软删除后,我的应用程序是否可以正常工作?Can my application work with soft-delete enabled?

重要

对密钥保管库启用软删除前,仔细阅读以下信息。Review the following information carefully before turning on soft-delete for your key vaults.

密钥保管库名称具备全局唯一性。Key vault names are globally unique. 密钥保管库中存储的机密名称也是唯一的。The names of secrets stored in a key vault are also unique. 你将无法重用处于“已软删除”状态的密钥保管库或密钥保管库对象的名称。You won't be able to reuse the name of a key vault or key vault object that exists in the soft-deleted state.

例如,如果应用程序以编程方式创建了一个名为“保管库 A”的密钥保管库,然后删除了“保管库 A”,则该密钥保管库将进入“已软删除”状态。For example, if your application programmatically creates a key vault named "Vault A" and later deletes "Vault A," the key vault will be moved to the soft-deleted state. 在从“已软删除”状态清除该密钥保管库之前,应用程序将无法重新创建另一个名为“保管库 A”的密钥保管库。Your application won't be able to re-create another key vault named "Vault A" until the key vault is purged from the soft-deleted state.

同样,如果应用程序在“保管库 A”中创建了一个名为 test key 的密钥,然后删除了该密钥,则在从“已软删除”状态清除 test key 对象之前,应用程序将无法在“保管库 A”中创建名为 test key 的新密钥。Also, if your application creates a key named test key in "Vault A" and later deletes that key, your application won't be able to create a new key named test key in "Vault A" until the test key object is purged from the soft-deleted state.

如果你尝试删除一个密钥保管库对象并使用相同的名称重新创建它,而不先将其从“已软删除”状态中清除,这可能会导致冲突错误。Attempting to delete a key vault object and re-create it with the same name without purging it from the soft-deleted state first can cause conflict errors. 这些错误可能会导致应用程序或自动化失败。These errors might cause your applications or automation to fail. 在进行以下必要的应用程序和管理更改之前,请咨询你的开发团队。Consult your dev team before you make the following required application and administration changes.

应用程序更改Application changes

如果应用程序假设未启用软删除,并且希望已删除的机密或密钥保管库名称可立即重用,你需要对应用程序逻辑进行以下更改。If your application assumes that soft-delete isn't enabled and expects that deleted secret or key vault names are available for immediate reuse, you'll need to make the following changes to your application logic.

  1. 删除原始的密钥保管库或机密。Delete the original key vault or secret.
  2. 清除“已软删除”状态下的 Key Vault 或机密。Purge the key vault or secret in the soft-deleted state.
  3. 等待清除完成。Wait for the purge to complete. 立即进行重新创建可能会导致冲突。Immediate re-creation might result in a conflict.
  4. 重新创建具有相同名称的 Key Vault。Re-create the key vault with the same name.
  5. 如果创建操作仍然导致名称冲突错误,请再次尝试重新创建密钥保管库。If the create operation still results in a name conflict error, try re-creating the key vault again. 在最糟糕的情况下,Azure DNS 记录可能需要长达 10 分钟的时间进行更新。Azure DNS records might take up to 10 minutes to update in the worst-case scenario.

管理更改Administration changes

需要访问永久删除机密的安全主体必须获授更多的访问策略权限才能清除这些机密和密钥保管库。Security principals that need access to permanently delete secrets must be granted more access policy permissions to purge these secrets and the key vault.

禁用对密钥保管库实施的任何要求关闭软删除的 Azure 策略。Disable any Azure policy on your key vaults that mandates that soft-delete is turned off. 你可能需要将此问题上报给控制应用于环境的 Azure 策略的管理员。You might need to escalate this issue to an administrator who controls Azure policies applied to your environment. 如果未禁用此策略,你可能无法在所应用策略范围内创建新的密钥保管库。If this policy isn't disabled, you might lose the ability to create new key vaults in the scope of the applied policy.

如果你的组织受到法律合规性要求的约束,并且不允许已删除的密钥保管库和机密长时间保持可恢复状态,则你必须调整软删除的保持期,以满足你组织的标准。If your organization is subject to legal compliance requirements and can't allow deleted key vaults and secrets to remain in a recoverable state for an extended period of time, you'll have to adjust the retention period of soft-delete to meet your organization's standards. 可将保持期配置为持续 7 至 90 天。You can configure the retention period to last from 7 to 90 days.

过程Procedures

审核 Key Vault,检查是否启用了软删除Audit your key vaults to check if soft-delete is enabled

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 搜索“Azure Policy”。Search for Azure Policy.
  3. 选择“定义”。Select Definitions.
  4. 在“类别”下,选择筛选器中的“密钥保管库” 。Under Category, select Key Vault in the filter.
  5. 选择“密钥保管库应启用软删除”策略。Select the Key Vault should have soft-delete enabled policy.
  6. 选择“分配”。 Select Assign.
  7. 将范围设置为你的订阅。Set the scope to your subscription.
  8. 确保策略的效果设置为“审核”。Make sure the effect of the policy is set to Audit.
  9. 选择“查看 + 创建” 。Select Review + Create. 最多需要 24 小时才能完成环境的完整扫描。A full scan of your environment might take up to 24 hours to complete.
  10. 在“Azure Policy”窗格中,选择“合规性” 。In the Azure Policy pane, select Compliance.
  11. 选择应用的策略。Select the policy you applied.

现在,你可筛选并查看启用了软删除的密钥保管库(合规资源)以及未启用软删除的密钥保管库(不合规资源)。You can now filter and see which key vaults have soft-delete enabled (compliant resources) and which key vaults don't have soft-delete enabled (non-compliant resources).

对现有的密钥保管库启用软删除Turn on soft-delete for an existing key vault

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 搜索你的密钥保管库。Search for your key vault.
  3. 选择“设置”下的“属性” 。Select Properties under Settings.
  4. 在“软删除”下,选择“启用对此保管库及其对象的恢复”选项 。Under Soft-Delete, select the Enable recovery of this vault and its objects option.
  5. 设置软删除的保持期。Set the retention period for soft-delete.
  6. 选择“保存”。 Select Save.

向安全主体授予清除访问策略权限Grant purge access policy permissions to a security principal

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 搜索你的密钥保管库。Search for your key vault.
  3. 选择“设置”下的“访问策略” 。Select Access Policies under Settings.
  4. 选择要授予访问权限的服务主体。Select the service principal you'd like to grant access to.
  5. 浏览“密钥”、“机密”和“证书权限”下的每个下拉菜单,直到看到“特权操作”为止 。Move through each drop-down menu under Key, Secret, and Certificate permissions until you see Privileged Operations. 选择“清除”权限。Select the Purge permission.

常见问题Frequently asked questions

此更改是否会对我产生影响?Does this change affect me?

如果你已启用软删除,或者没有删除并重新创建同名的密钥保管库对象,则可能不会注意到密钥保管库的行为发生任何更改。If you already have soft-delete turned on or if you don't delete and re-create key vault objects with the same name, you likely won't notice any change in the behavior of the key vault.

如果你的应用程序经常删除和重新创建具有相同命名约定的密钥保管库对象,则你必须在应用程序逻辑中进行更改,以保持预期的行为。If you have an application that deletes and re-creates key vault objects with the same naming conventions frequently, you'll have to make changes in your application logic to maintain expected behavior. 请参阅本文中的应用程序更改部分。See the Application changes section in this article.

我如何从这一更改中获益?How do I benefit from this change?

软删除保护为你的组织提供了另一层保护,防止意外或恶意删除。Soft-delete protection provides your organization with another layer of protection against accidental or malicious deletion. Key Vault 管理员可以限制对恢复权限和清除权限的访问。As a key vault administrator, you can restrict access to both recover permissions and purge permissions.

如果用户意外地删除了密钥保管库或机密,你可以授予他们访问权限以自行恢复机密,而不会造成他们永久删除机密或密钥保管库的风险。If a user accidentally deletes a key vault or secret, you can grant them access permissions to recover the secret themselves without creating the risk that they permanently delete the secret or key vault. 此自助式过程将最大程度地减少环境中的停机时间,并保证机密的可用性。This self-serve process will minimize downtime in your environment and guarantee the availability of your secrets.

如何确定我是否需要采取措施?How do I find out if I need to take action?

按照本文中审核密钥保管库,检查是否启用了软删除部分的步骤进行操作。Follow the steps in the Audit your key vaults to check if soft delete is enabled section in this article. 此更改将影响任何未启用软删除的密钥保管库。This change will affect any key vault that doesn't have soft-delete turned on.

我需要采取哪些措施?What action do I need to take?

确认不需要对应用程序逻辑进行更改后,对所有密钥保管库启用软删除。After you've confirmed that you don't have to make changes to your application logic, turn on soft-delete on all of your key vaults.

什么时候需要措施?When do I need to take action?

为确保你的应用程序不受影响,请尽快对密钥保管库启用软删除。To make sure that your applications aren't affected, turn on soft-delete on your key vaults as soon as possible.

后续步骤Next steps