Soft-delete & purge protection with Azure Keyvault

Introduction
Soft-delete is a feature where as if you delete a vault or a vault object such as a key, secret or certificate you can restore it. For how long items remain in a soft-deleted stage is a configurable setting which ranges from 7-90 days.
In short: Soft delete allows you to retain deleted items for a period of max 90 days where they can be restored before being permanently deleted
Soft-delete is enabled per default on new key vaults and cannot be disabled, so you do not have to worry about this with any new key vaults you provision.
In addition to soft-delete there is something called purge protection. Not enabled by default and can only be enabled when soft-delete is already configured on the key vault.
Purge protection prohibits users from manually permanently deleting any vault or vault item which is in a soft-deleted state. Purge protection is recommended when using keys for encryption to prevent data loss, for example when using Azure Disk Encryption and the vault holds the keys.
For more information about Azure Disk Encrytion you can read my other post about that here
The result is that a malicous user cannot access the vault and delete all the keys and permanently delete them from soft-delete, becuase you have configured purge protection.
Enable purge protection for your key vault
Pre-requisites
- Azure Subscription
- Azure CLI and/or Azure Powershell
- A Key vault
- A user with subscription permissions with these scopes included
Microsoft.KeyVault/locations/deletedVaults/read
Microsoft.KeyVault/locations/deletedVaults/purge/action
Microsoft.KeyVault/locations/operationResults/read
As well as Key Vault Contributor to be able to recover soft-deleted vault.
Verify if key vault has soft-delete enabled
az keyvault show --subscription <sub-id> -g <rgname> -n <name of key vault>
You want to look for:
"enableSoftDelete": true,
and:
"softDeleteRetentionInDays": 90,
This means I have soft-delete enabled and a retention of 90 days. If not, if it is an older vault where it was not enabled per default you can update it to use soft-delete:
az keyvault update --subscription <sub-id> -g <rgname> -n <name of key vault> --enable-soft-delete true
Finally, if you should want to add this additional layer of security that comes with purge protection you can run this command in AZ CLI:
az keyvault update --subscription <sub-id> -g <rgname> -n <name of key vault> --enable-purge-protection true
Now if you run the previous show command you should see
"enablePurgeProtection": true,
Conclusion
Purge protection can only be activated today through the Azure CLI or Azure Powershell. You can use Defender for Cloud and Azure Policy with auditIfNotExists modes to identity key vaults in your environment that does not have purge protection enabled.
This is not a costly feature either. Any Purge or Recover actions will count towards your regular key vault bill as it would anyway with soft-delete enabled.
References


About me
