Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 4 Enable Soft Delete and purge protection on the Azure Key Vault

@20aman    Jul 01, 2020

Soft delete and purge protection provide key vault recovery features. These two features work together and differ only slightly.

  • Soft Delete - This is to prevent any accidental deletion of the key vault and its related objects like Keys, Secrets, and Certificates, etc. You can recover any deleted items up to a period that you define as a retention period (in a number of days). You can still purge the deleted resources and therefore permanently delete the resources.
  • Purge Protection - If you have purge protection, then the soft-deleted items can not be purged till a particular time (specified by the retention period for the Soft Delete). This along with the Soft delete setting ensures that the key vault-related resources that are deleted can not be purged before the time period is expired.

Note that both Soft Delete and Purge protection settings are required to use the key vault with the recovery services vault to provide your custom key for encryption.

These settings are in the Properties section of the Key Vault. When you enable the Soft delete option, you also provide the retention period in days for the deleted vaults.

Soft delete and purge protection

You can set up the Soft delete and purge protection during the creation of the key vault as well.

When the key vault is deleted, which has the soft delete enabled, then:

  • You can not create any other vault with the same name as the deleted vault
  • You may list all of the key vaults and key vault objects in the soft-deleted state for your subscription as well as access deletion and recovery information about them. Users should be granted appropriate permissions to be able to list the keys of the deleted vaults.
  • Only a specifically privileged user may restore a key vault or key vault object by issuing a recover command on the corresponding proxy resource.
  • Only a specifically privileged user may forcibly delete a key vault or key vault object by issuing a delete command on the corresponding proxy resource.

Note:

  • Unless a key vault or key vault object is recovered, at the end of the retention interval the service performs a purge of the soft-deleted key vault or key vault object and its content. Resource deletion may not be rescheduled.
  • Once soft delete has been enabled, it cannot be disabled.





Comments powered by Disqus