If Key Vault is deleted all objects inside it are deleted also. A soft delete allows recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it.
How Soft Delete Works (docs.microsoft.com)
With this feature, the DELETE operation on a key vault or key vault object is a soft-delete, effectively holding the resources for a given retention period (90 days), while giving the appearance that the object is deleted. The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Key vault recovery
Upon deleting a key vault, the service creates a proxy resource under the subscription, adding sufficient metadata for recovery. The proxy resource is a stored object, available in the same location as the deleted key vault.
Key vault object recovery
Upon deleting a key vault object, such as a key, the service will place the object in a deleted state, making it inaccessible to any retrieval operations. While in this state, the key vault object can only be listed, recovered, or forcefully/permanently deleted.
At the same time, Key Vault will schedule the deletion of the underlying data corresponding to the deleted key vault or key vault object for execution after a predetermined retention interval. The DNS record corresponding to the vault is also retained for the duration of the retention interval.
How to Enable Soft Delete
Here are commands which can be used for enabling Key Vault. Reference found from here.
Link to commands #For existing Key Vault ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName "Fetanet-DiskEncryptTest").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true" Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties #To New Key Vault during creation New-AzKeyVault -Name "YouOwnVaultNameHere" -ResourceGroupName "RG-Name" -Location "westus" -EnableSoftDelete #Verify Get-AzKeyVault -VaultName "Fetanet-DiskEncryptTest"
I’m focusing on the recovery part in this blog. I faced a disaster recovery situation two weeks ago at the customer environment where Key Vault resource group was accidentally deleted. The Key Vault contained wrapped keys for server disk encryption. No matter are you using Microsoft managed keys or BYOK to Azure Disk Encryption (ADE) the recovery process is the same. If you are wondering how ADE works take a look of this.
Key Vault Recovery
All pictures in this blog are from my test environment where I re-produced the error situation. After Key Vault was deletion I started to have the following error when starting the server which was in Domain Controller role.
Key Vault which contained the secret is gone, totally. If Soft Delete is not enabled you are screwed. If Soft Delete has been enabled you can restore the situation as it was.
Find out possible Key Vaults to restore – Get-AzKeyVault -InRemovedState
When you find correct Key Vault to restore you can restore it with Undo-AzKeyVaultRemoval command. What you need to define here is a resource group which needs to exist when making a restore. If the whole resource group was deleted create RG with the same name before restoring the Key Vault.
Key Vault Object Recovery
Deleted objects from Key Vault can be recovered, in this example individual secret is recovered.
With following commands you can list individual secrets, keys, and certificates from the Key Vault. When using “InRemovedState” switch you can see removed ones from the Key Vault
#Get Individual objects from Key Vault Get-AzKeyVaultKey -VaultName "Fetanet-DiskEncryptTest" Get-AzKeyVaultSecret -VaultName "Fetanet-DiskEncryptTest" Get-AzKeyVaultCertificate -VaultName "Fetanet-DiskEncryptTest" #Get Deleted object from Key Vault Get-AzKeyVaultKey -VaultName "Fetanet-DiskEncryptTest" -InRemovedState Get-AzKeyVaultSecret -VaultName "Fetanet-DiskEncryptTest" -InRemovedState Get-AzKeyVaultCertificate -VaultName "Fetanet-DiskEncryptTest" -InRemovedState
Example – secret deleted from the vault and recovered
At pictures below following tasks are done:
- The secret is deleted from the vault
- Queried with PowerShell
- Recovered from the Vault
- Verified functionality after restore
Key Vault has backup functionality and following considerations needs to take into account when planning restore of a backup
Backup taken of a key from a key vault in one Azure location can be restored to a key vault in another Azure location, as long as both of these conditions are true:
- Both of the Azure locations belong to the same geographical location
- Both of the key vaults belong to the same Azure subscription
Key Vault Soft Delete retention period for Vault and objects is by default 90 days.
Resource Group Relationship
When a vault is recovered, it results in a new resource being created with its original resource ID. If the resource group where the vault existed has been removed, a new resource group with the same name will need to be recreated before the vault can be recovered
I highly recommend enabling Soft-Delete to all of production environment Key Vaults even you would use Azure locks resource protection. It’s a cheap safety mechanism and can save your environment from disaster and downtime.