| ms.assetid | title | description | services | author | manager | ms.service | ms.topic | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|
Azure Key Vault - How to use soft-delete with PowerShell |
Use case examples of soft-delete with PowerShell code snips |
key-vault |
bryanla |
mbaldwin |
key-vault |
conceptual |
identity |
10/16/2018 |
bryanla |
Azure Key Vault's soft delete feature allows recovery of deleted vaults and vault objects. Specifically, soft-delete addresses the following scenarios:
- Support for recoverable deletion of a key vault
- Support for recoverable deletion of key vault objects; keys, secrets, and, certificates
- Azure PowerShell 4.0.0 or later - If you don't have this already setup, install Azure PowerShell and associate it with your Azure subscription, see How to install and configure Azure PowerShell.
Note
There is an outdated version of our Key Vault PowerShell output formatting file that may be loaded into your environment instead of the correct version. We are anticipating an updated version of PowerShell to contain the needed correction for the output formatting and will update this topic at that time. The current workaround, should you encounter this formatting problem, is:
- Use the following query if you notice you're not seeing the soft-delete enabled property described in this topic:
$vault = Get-AzureRmKeyVault -VaultName myvault; $vault.EnableSoftDelete.
For Key Vault specific refernece information for PowerShell, see Azure Key Vault PowerShell reference.
Key Vault operations are separately managed via role-based access control (RBAC) permissions as follows:
| Operation | Description | User permission |
|---|---|---|
| List | Lists deleted key vaults. | Microsoft.KeyVault/deletedVaults/read |
| Recover | Restores a deleted key vault. | Microsoft.KeyVault/vaults/write |
| Purge | Permanently removes a deleted key vault and all its contents. | Microsoft.KeyVault/locations/deletedVaults/purge/action |
For more information on permissions and access control, see Secure your key vault.
You enable "soft-delete" to allow recovery of a deleted key vault, or objects stored in a key vault.
Important
Enabling 'soft delete' on a key vault is an irreversible action. Once the soft-delete property has been set to "true", it cannot be changed or removed.
For an existing key vault named ContosoVault, enable soft-delete as follows.
($resource = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -VaultName "ContosoVault").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
Set-AzureRmResource -resourceid $resource.ResourceId -Properties $resource.PropertiesEnabling soft-delete for a new key vault is done at creation time by adding the soft-delete enable flag to your create command.
New-AzureRmKeyVault -Name "ContosoVault" -ResourceGroupName "ContosoRG" -Location "westus" -EnableSoftDeleteTo verify that a key vault has soft-delete enabled, run the show command and look for the 'Soft Delete Enabled?' attribute:
Get-AzureRmKeyVault -VaultName "ContosoVault"The command to delete a key vault changes in behavior, depending on whether soft-delete is enabled.
Important
If you run the following command for a key vault that does not have soft-delete enabled, you will permanently delete this key vault and all its content with no options for recovery!
Remove-AzureRmKeyVault -VaultName 'ContosoVault'With soft-delete enabled:
- A deleted key vault is removed from its resource group and placed in a reserved namespace, associated with the location where it was created.
- Deleted objects such as keys, secrets, and certificates, are inaccessible as long as their containing key vault is in the deleted state.
- The DNS name for a deleted key vault is reserved, preventing a new key vault with same name from being created.
You may view deleted state key vaults, associated with your subscription, using the following command:
PS C:\> Get-AzureRmKeyVault -InRemovedState - Id can be used to identify the resource when recovering, or purging.
- Resource ID is the original resource ID of this vault. Since this key vault is now in a deleted state, no resource exists with that resource ID.
- Scheduled Purge Date is when the vault will be permanently deleted, if no action is taken. The default retention period, used to calculate the Scheduled Purge Date, is 90 days.
To recover a key vault, you specify the key vault name, resource group, and location. Note the location and the resource group of the deleted key vault, as you need them for the recovery process.
Undo-AzureRmKeyVaultRemoval -VaultName ContosoVault -ResourceGroupName ContosoRG -Location westusWhen a key vault is recovered, a new resource is created with the key vault's original resource ID. If the original resource group is removed, one must be created with same name before attempting recovery.
The following command will delete the 'ContosoFirstKey' key, in a key vault named 'ContosoVault', which has soft-delete enabled:
Remove-AzureKeyVaultKey -VaultName ContosoVault -Name ContosoFirstKeyWith your key vault enabled for soft-delete, a deleted key still appears to be deleted, unless you explicitly list deleted keys. Most operations on a key in the deleted state will fail, except for listing, recovering, purging a deleted key.
For example, the following command lists deleted keys in the 'ContosoVault' key vault:
Get-AzureKeyVaultKey -VaultName ContosoVault -InRemovedStateWhen you delete a key in a key vault with soft-delete enabled, it may take a few seconds for the transition to complete. During this transition, it may appear that the key is not in the active state or the deleted state.
Just like key vaults, a deleted key, secret, or certificate, remains in deleted state for up to 90 days, unless you recover it or purge it.
To recover a soft-deleted key:
Undo-AzureKeyVaultKeyRemoval -VaultName ContosoVault -Name ContosoFirstKeyTo permanently delete (also known as purging) a soft-deleted key:
Important
Purging a key will permanently delete it, and it will not be recoverable!
Remove-AzureKeyVaultKey -VaultName ContosoVault -Name ContosoFirstKey -InRemovedStateThe recover and purge actions have their own permissions associated in a key vault access policy. For a user or service principal to be able to execute a recover or purge action, they must have the respective permission for that key or secret. By default, purge isn't added to a key vault's access policy, when the 'all' shortcut is used to grant all permissions. You must specifically grant purge permission.
The following command grants [email protected] permission to use several operations on keys in ContosoVault including purge:
Set-AzureRmKeyVaultAccessPolicy -VaultName ContosoVault -UserPrincipalName user@contoso.com -PermissionsToKeys get,create,delete,list,update,import,backup,restore,recover,purgeNote
If you have an existing key vault that has just had soft-delete enabled, you may not have recover and purge permissions.
Like keys, secrets are managed with their own commands:
- Delete a secret named SQLPassword:
Remove-AzureKeyVaultSecret -VaultName ContosoVault -name SQLPassword- List all deleted secrets in a key vault:
Get-AzureKeyVaultSecret -VaultName ContosoVault -InRemovedState- Recover a secret in the deleted state:
Undo-AzureKeyVaultSecretRemoval -VaultName ContosoVault -Name SQLPAssword-
Purge a secret in deleted state:
[!IMPORTANT] Purging a secret will permanently delete it, and it will not be recoverable!
Remove-AzureKeyVaultSecret -VaultName ContosoVault -InRemovedState -name SQLPassword
Purging a key, secret, or certificate, causes permanent deletion and it will not be recoverable. The key vault that contained the deleted object will however remain intact as will all other objects in the key vault.
When a key vault is purged, its entire contents are permanently deleted, including keys, secrets, and certificates. To purge a key vault, use the Remove-AzureRmKeyVault command with the option -InRemovedState and by specifying the location of the deleted key vault with the -Location location argument. You can find the location of a deleted vault using the command Get-AzureRmKeyVault -InRemovedState.
Important
Purging a key vault will permanently delete it, meaning it will not be recoverable!
Remove-AzureRmKeyVault -VaultName ContosoVault -InRemovedState -Location westus- To purge a deleted key vault, the user needs RBAC permission to the Microsoft.KeyVault/locations/deletedVaults/purge/action operation.
- To list a deleted key vault, the user needs RBAC permission to the Microsoft.KeyVault/deletedVaults/read operation.
- By default only a subscription administrator has these permissions.
Listing deleted key vault objects also shows when they're scheduled to be purged by Key Vault. Scheduled Purge Date indicates when a key vault object will be permanently deleted, if no action is taken. By default, the retention period for a deleted key vault object is 90 days.
Important
A purged vault object, triggered by its Scheduled Purge Date field, is permanently deleted. It is not recoverable!
- For an overview of Key Vault's soft-delete feature, see Azure Key Vault soft-delete overview.
- For a general overview of Azure Key Vault usage, see Get started with Azure Key Vault.