Azure Key Vault 软删除概述Azure Key Vault soft-delete overview


必须立即对密钥保管库启用软删除。You must enable soft-delete on your key vaults immediately. 即将弃用选择退出软删除的功能。The ability to opt out of soft-delete will be deprecated soon. 请参阅此处的完整详细信息。See full details here

Key Vault 的软删除功能可用于恢复已删除的保管库和已删除的密钥保管库对象(例如,密钥、机密、证书),因而被称为软删除。Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete. 本文将具体探讨以下方案:这项保护措施提供以下保护:Specifically, we address the following scenarios: This safeguard offer the following protections:

  • 机密、密钥、证书或密钥保管库在被删除之后,在一个可配置的时间段( 7 到 90 个日历日)内将一直保持可恢复状态。Once a secret, key, certificate, or key vault is deleted, it will remain recoverable for a configurable period of 7 to 90 calendar days. 如果未指定配置,默认恢复期将会被设置为 90 天。If no configuration is specified the default recovery period will be set to 90 days. 这样,用户就有充足的时间来注意到意外的机密删除并做出响应。This provides users with sufficient time to notice an accidental secret deletion and respond.
  • 若要永久删除机密,必须执行两个操作。Two operations must be made to permanently delete a secret. 首先,用户必须删除该对象,使其处于软删除状态。First a user must delete the object, which puts it into the soft-deleted state. 接下来,用户必须清除处于软删除状态的对象。Second, a user must purge the object in the soft-deleted state. 清除操作需要其他访问策略权限。The purge operation requires additional access policy permissions. 这些附加的保护措施减少了用户意外或恶意删除机密或密钥保管库的风险。These additional protections reduce the risk of a user accidentally or maliciously deleting a secret or a key vault.
  • 若要清除处于软删除状态的机密,必须另外为服务主体授予“清除”访问策略权限。To purge a secret in the soft-deleted state, a service principal must be granted an additional "purge" access policy permission. “清除”访问策略权限在默认情况下不会授予任何服务主体(包括密钥保管库和订阅所有者),必须特意设置。The purge access policy permission is not granted by default to any service principal including key vault and subscription owners and must be deliberately set. 这样,通过要求提升的访问策略权限来清除处于软删除状态的机密,就会减少意外删除机密的可能性。By requiring an elevated access policy permission to purge a soft-deleted secret, it reduces the probability of accidentally deleting a secret.

支持接口Supporting interfaces

软删除功能是通过 REST APIAzure CLIAzure PowerShell.NET/C# 接口以及 ARM 模板提供的。The soft-delete feature is available through the REST API, the Azure CLI, Azure PowerShell, and .NET/C# interfaces, as well as ARM templates.


Azure Key Vault 是由 Azure Resource Manager 管理的跟踪资源。Azure Key Vaults are tracked resources, managed by Azure Resource Manager. Azure Resource Manager 还指定了定义明确的删除行为,要求成功的删除操作必须使该资源不再可供访问。Azure Resource Manager also specifies a well-defined behavior for deletion, which requires that a successful DELETE operation must result in that resource not being accessible anymore. 软删除功能解决了已删除对象的恢复问题,无论是意外删除还是有意删除。The soft-delete feature addresses the recovery of the deleted object, whether the deletion was accidental or intentional.

  1. 在典型情景中,用户可能无意中删除了 Key Vault 或 Key Vault 对象;如果 Key Vault 或 Key Vault 对象在预设的某个时间段内可恢复,则用户可以撤消删除并恢复其数据。In the typical scenario, a user may have inadvertently deleted a key vault or a key vault object; if that key vault or key vault object were to be recoverable for a predetermined period, the user may undo the deletion and recover their data.

  2. 在另一种情景中,恶意用户可能会试图删除 Key Vault 或 Key Vault 对象(例如保管库内的密钥),导致业务中断。In a different scenario, a rogue user may attempt to delete a key vault or a key vault object, such as a key inside a vault, to cause a business disruption. 作为一项安全措施,可将 Key Vault 或 Key Vault 对象的删除与基础数据的实际删除区分开来,例如,将数据删除权限仅授予另一个受信任角色。Separating the deletion of the key vault or key vault object from the actual deletion of the underlying data can be used as a safety measure by, for instance, restricting permissions on data deletion to a different, trusted role. 此方法实际上需要对可能导致数据立即丢失的操作进行仲裁。This approach effectively requires quorum for an operation which might otherwise result in an immediate data loss.

软删除行为Soft-delete behavior

启用软删除后,标记为“已删除资源”的资源将保留指定的时间(默认为 90 天)。When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). 该服务进一步提供了用于恢复已删除对象的机制,实质上是撤消删除。The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

创建新的密钥保管库时,默认情况下将启用软删除。When creating a new key vault, soft-delete is on by default. 可以通过 Azure CLIAzure PowerShell 创建不带软删除的密钥保管库。You can create a key vault without soft-delete through the Azure CLI or Azure PowerShell. 在密钥保管库上启用软删除后,便无法将其禁用Once soft-delete is enabled on a key vault it cannot be disabled

默认保留期为 90 天,但在创建密钥保管库期间可通过 Azure 门户将保留策略间隔设为 7 到 90 天的值。The default retention period is 90 days but, during key vault creation, it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. 清除保护保留策略使用相同的间隔。The purge protection retention policy uses the same interval. 设置保留策略间隔后,将无法更改。Once set, the retention policy interval cannot be changed.

在保留期结束之前,无法重复使用已软删除的 Key Vault 的名称。You cannot reuse the name of a key vault that has been soft-deleted until the retention period has passed.

清除保护Purge protection

清除保护是一种可选的 Key Vault 行为,默认未启用Purge protection is an optional Key Vault behavior and is not enabled by default. 只有启用软删除后才能启用清除保护。Purge protection can only be enabled once soft-delete is enabled. 可以通过 CLIPowerShell 来启用它。It can be turned on via CLI or PowerShell.

启用清除保护后,在保留期结束之前,无法清除处于已删除状态的保管库或对象。When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. 软删除的保管库和对象仍可恢复,这可以确保遵循保留策略。Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.

默认保留期为 90 天,但可以通过 Azure 门户将保留策略间隔设置为 7 到 90 天的值。The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. 设置并保存保留策略间隔后,无法为该保管库更改保留策略间隔。Once the retention policy interval is set and saved it cannot be changed for that vault.

允许的清除Permitted purge

可通过对代理资源执行 POST 操作永久删除、清除 Key Vault,但此操作需要特殊权限。Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges. 通常,只有订阅所有者才能清除 Key Vault。Generally, only the subscription owner will be able to purge a key vault. POST 操作可触发立即删除该保管库,且此删除不可恢复。The POST operation triggers the immediate and irrecoverable deletion of that vault.

例外情况包括:Exceptions are:

  • Azure 订阅已被标记为“不可删除”。When the Azure subscription has been marked as undeletable. 在这种情况下,只有服务可以执行实际删除,并且将作为计划的进程执行此操作。In this case, only the service may then perform the actual deletion, and does so as a scheduled process.
  • 在保管库本身上启用 --enable-purge-protection flag 时。When the --enable-purge-protection flag is enabled on the vault itself. 在这种情况下,Key Vault 将自原始机密对象标记为删除以永久删除该对象起等待 90 天。In this case, Key Vault will wait for 90 days from when the original secret object was marked for deletion to permanently delete the object.

有关步骤,请参阅如何将 Key Vault 软删除与 CLI 配合使用:清除密钥保管库如何通过 PowerShell 使用 Key Vault 软删除:清除密钥保管库For steps, see How to use Key Vault soft-delete with CLI: Purging a key vault or How to use Key Vault soft-delete with PowerShell: Purging a key vault.

Key Vault 恢复Key vault recovery

删除 Key Vault 后,服务会在订阅下创建代理资源,为恢复添加足够的元数据。Upon deleting a key vault, the service creates a proxy resource under the subscription, adding sufficient metadata for recovery. 代理资源是一个存储对象,位于与已删除 Key Vault 相同的位置。The proxy resource is a stored object, available in the same location as the deleted key vault.

Key Vault 对象恢复Key vault object recovery

删除密钥保管库对象(例如密钥)时,服务会将该对象置于已删除状态,使其不可供任何检索操作访问。Upon deleting a key vault object, such as a key, the service will place the object in a deleted state, making it inaccessible to any retrieval operations. 在此状态下,只能列出、恢复或强制/永久删除 Key Vault 对象。While in this state, the key vault object can only be listed, recovered, or forcefully/permanently deleted. 若要查看对象,请使用 Azure CLI az keyvault key list-deleted 命令(按照如何通过 CLI 使用 Key Vault 软删除中的说明)或 Azure PowerShell -InRemovedState 参数(按照如何通过 PowerShell 使用 Key Vault 软删除中的说明)。To view the objects, use the Azure CLI az keyvault key list-deleted command (as documented in How to use Key Vault soft-delete with CLI), or the Azure PowerShell -InRemovedState parameter (as described in How to use Key Vault soft-delete with PowerShell).

同时,Key Vault 将计划在预设的保留间隔后删除与已删除 Key Vault 或 Key Vault 对象对应的基础数据。At the same time, Key Vault will schedule the deletion of the underlying data corresponding to the deleted key vault or key vault object for execution after a predetermined retention interval. 在保留间隔内,还会保留与该保管库相对应的 DNS 记录。The DNS record corresponding to the vault is also retained for the duration of the retention interval.

软删除保留期Soft-delete retention period

软删除的资源将保留设定的一段时间(90 天)。Soft-deleted resources are retained for a set period of time, 90 days. 在软删除保留间隔内,以下情况属实:During the soft-delete retention interval, the following apply:

  • 可以列出订阅中处于软删除状态的所有 Key Vault 和 Key Vault 对象,并可访问与这些对象有关的删除和恢复信息。You may list all of the key vaults and key vault objects in the soft-delete state for your subscription as well as access deletion and recovery information about them.
    • 只有具有特殊权限的用户才能列出已删除的保管库。Only users with special permissions can list deleted vaults. 我们建议用户创建一个具有这些特殊权限的自定义角色来处理已删除的保管库。We recommend that our users create a custom role with these special permissions for handling deleted vaults.
  • 无法在同一位置创建具有相同名称的 Key Vault;相应地,在创建 Key Vault 对象时,如果 Key Vault 中包含具有相同名称且处于已删除状态的对象,则无法在其中创建该对象A key vault with the same name cannot be created in the same location; correspondingly, a key vault object cannot be created in a given vault if that key vault contains an object with the same name and which is in a deleted state.
  • 只有特权用户可以还原 Key Vault 或 Key Vault 对象,方法是对相应的代理资源发出恢复命令。Only a specifically privileged user may restore a key vault or key vault object by issuing a recover command on the corresponding proxy resource.
    • 有权在资源组下创建 key vault 的用户(自定义角色的成员)可以还原该保管库。The user, member of the custom role, who has the privilege to create a key vault under the resource group can restore the vault.
  • 只有特权用户可以强制删除 Key Vault 或 Key Vault 对象,方法是对相应的代理资源发出删除命令。Only a specifically privileged user may forcibly delete a key vault or key vault object by issuing a delete command on the corresponding proxy resource.

除非恢复 Key Vault 或 Key Vault 对象,否则在保留间隔结束时,服务会清除已软删除的 Key Vault 或 Key Vault 对象及其内容。Unless a key vault or key vault object is recovered, at the end of the retention interval the service performs a purge of the soft-deleted key vault or key vault object and its content. 资源删除不可重新计划。Resource deletion may not be rescheduled.

计费影响Billing implications

一般情况下,如果对象(密钥保管库或密钥或机密)处于已删除状态,仅可执行两个操作:“清除”和“恢复”。In general, when an object (a key vault or a key or a secret) is in deleted state, there are only two operations possible: 'purge' and 'recover'. 所有其他操作都会失败。All the other operations will fail. 因此,即使对象存在,也不可执行任何操作,因此不会出现使用情况,也不会计费。Therefore, even though the object exists, no operations can be performed and hence no usage will occur, so no bill. 但是存在以下例外:However there are following exceptions:

  • “清除”和“恢复”操作计为正常密钥保管库操作并收费。'purge' and 'recover' actions will count towards normal key vault operations and will be billed.

后续步骤Next steps

以下两个指南提供有关使用软删除的主要使用方案。The following two guides offer the primary usage scenarios for using soft-delete.