Introduction
If Key Vault is deleted all objects inside it are deleted also. A soft delete allows recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it.
How Soft Delete Works (docs.microsoft.com)
With this feature, the DELETE operation on a key vault or key vault object is a soft-delete, effectively holding the resources for a given retention period (90 days), while giving the appearance that the object is deleted. The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Key vault recovery
Upon deleting a key vault, the service creates a proxy resource under the subscription, adding sufficient metadata for recovery. The proxy resource is a stored object, available in the same location as the deleted key vault.
Key vault object recovery
Upon deleting a key vault object, such as a key, the service will place the object in a deleted state, making it inaccessible to any retrieval operations. While in this state, the key vault object can only be listed, recovered, or forcefully/permanently deleted.
At the same time, Key Vault will schedule the deletion of the underlying data corresponding to the deleted key vault or key vault object for execution after a predetermined retention interval. The DNS record corresponding to the vault is also retained for the duration of the retention interval.
How to Enable Soft Delete
Here are commands which can be used for enabling Key Vault. Reference found from here.
Link to commands
#For existing Key Vault
($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName "Fetanet-DiskEncryptTest").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties
#To New Key Vault during creation
New-AzKeyVault -Name "YouOwnVaultNameHere" -ResourceGroupName "RG-Name" -Location "westus" -EnableSoftDelete
#Verify
Get-AzKeyVault -VaultName "Fetanet-DiskEncryptTest"
Recovery Process
I’m focusing on the recovery part in this blog. I faced a disaster recovery situation two weeks ago at the customer environment where Key Vault resource group was accidentally deleted. The Key Vault contained wrapped keys for server disk encryption. No matter are you using Microsoft managed keys or BYOK to Azure Disk Encryption (ADE) the recovery process is the same. If you are wondering how ADE works take a look of this.
Key Vault Recovery
All pictures in this blog are from my test environment where I re-produced the error situation. After Key Vault was deletion I started to have the following error when starting the server which was in Domain Controller role.
Key Vault which contained the secret is gone, totally. If Soft Delete is not enabled you are screwed. If Soft Delete has been enabled you can restore the situation as it was.
Find out possible Key Vaults to restore – Get-AzKeyVault -InRemovedState
When you find correct Key Vault to restore you can restore it with Undo-AzKeyVaultRemoval command. What you need to define here is a resource group which needs to exist when making a restore. If the whole resource group was deleted create RG with the same name before restoring the Key Vault.
Key Vault Object Recovery
Deleted objects from Key Vault can be recovered, in this example individual secret is recovered.
With following commands you can list individual secrets, keys, and certificates from the Key Vault. When using “InRemovedState” switch you can see removed ones from the Key Vault
#Get Individual objects from Key Vault
Get-AzKeyVaultKey -VaultName "Fetanet-DiskEncryptTest"
Get-AzKeyVaultSecret -VaultName "Fetanet-DiskEncryptTest"
Get-AzKeyVaultCertificate -VaultName "Fetanet-DiskEncryptTest"
#Get Deleted object from Key Vault
Get-AzKeyVaultKey -VaultName "Fetanet-DiskEncryptTest" -InRemovedState
Get-AzKeyVaultSecret -VaultName "Fetanet-DiskEncryptTest" -InRemovedState
Get-AzKeyVaultCertificate -VaultName "Fetanet-DiskEncryptTest" -InRemovedState
Example – secret deleted from the vault and recovered
At pictures below following tasks are done:
- The secret is deleted from the vault
- Queried with PowerShell
- Recovered from the Vault
- Verified functionality after restore
Caveats
Backup
Key Vault has backup functionality and following considerations needs to take into account when planning restore of a backup
Backup taken of a key from a key vault in one Azure location can be restored to a key vault in another Azure location, as long as both of these conditions are true:
- Both of the Azure locations belong to the same geographical location
- Both of the key vaults belong to the same Azure subscription
Soft Delete
Key Vault Soft Delete retention period for Vault and objects is by default 90 days.
Resource Group Relationship
When a vault is recovered, it results in a new resource being created with its original resource ID. If the resource group where the vault existed has been removed, a new resource group with the same name will need to be recreated before the vault can be recovered
Summary
I highly recommend enabling Soft-Delete to all of production environment Key Vaults even you would use Azure locks resource protection. It’s a cheap safety mechanism and can save your environment from disaster and downtime.
Sam's Corner 
Would you happen to know is there any way to change retention period(of soft delete) from 90 days to something else?
Hi,
Haven’t found parameter to change retention period configuration (at least yet) so I assume that setting is not configurable.
If you need restore objects from longer time than 90 days consider taking backups from individual objects to another location. This isn’t of course same than soft-delete behavior but backups from keys/secrets/certificates can save your day in disaster recovery scenarios😊
I’m heading to vacation today but will find out confirmation to your retention period question later on😊
Thanks,
Sami
You can set the retention period if you create the AKV using the Azure Portal. Allowed values run from 7 to 90 days.
Thanks for sharing!
It would be nice if you showed how to purge soft deleted vaults.
Thanks for the feedback and that’s an excellent suggestion. I will update the blog to contain the purge part from Vaults.