Soft-delete & purge protection with Azure Keyvault

Soft-delete & purge protection with Azure Keyvault

Introduction

Soft-delete is a feature where as if you delete a vault or a vault object such as a key, secret or certificate you can restore it. For how long items remain in a soft-deleted stage is a configurable setting which ranges from 7-90 days.

In short: Soft delete allows you to retain deleted items for a period of max 90 days where they can be restored before being permanently deleted

Soft-delete is enabled per default on new key vaults and cannot be disabled, so you do not have to worry about this with any new key vaults you provision.

In addition to soft-delete there is something called purge protection. Not enabled by default and can only be enabled when soft-delete is already configured on the key vault.

Purge protection prohibits users from manually permanently deleting any vault or vault item which is in a soft-deleted state. Purge protection is recommended when using keys for encryption to prevent data loss, for example when using Azure Disk Encryption and the vault holds the keys.

For more information about Azure Disk Encrytion you can read my other post about that here

The result is that a malicous user cannot access the vault and delete all the keys and permanently delete them from soft-delete, becuase you have configured purge protection.

Enable purge protection for your key vault

Pre-requisites

  1. Azure Subscription
  2. Azure CLI and/or Azure Powershell
  3. A Key vault
  4. A user with subscription permissions with these scopes included
Microsoft.KeyVault/locations/deletedVaults/read	
Microsoft.KeyVault/locations/deletedVaults/purge/action	
Microsoft.KeyVault/locations/operationResults/read	

As well as Key Vault Contributor to be able to recover soft-deleted vault.

Verify if key vault has soft-delete enabled

az keyvault show --subscription <sub-id> -g <rgname> -n <name of key vault>

You want to look for:

"enableSoftDelete": true,

and:

"softDeleteRetentionInDays": 90,

This means I have soft-delete enabled and a retention of 90 days. If not, if it is an older vault where it was not enabled per default you can update it to use soft-delete:

az keyvault update --subscription <sub-id> -g <rgname> -n <name of key vault> --enable-soft-delete true

Finally, if you should want to add this additional layer of security that comes with purge protection you can run this command in AZ CLI:

az keyvault update --subscription <sub-id> -g <rgname> -n <name of key vault> --enable-purge-protection true

Now if you run the previous show command you should see

"enablePurgeProtection": true,

Conclusion

Purge protection can only be activated today through the Azure CLI or Azure Powershell. You can use Defender for Cloud and Azure Policy with auditIfNotExists modes to identity key vaults in your environment that does not have purge protection enabled.

This is not a costly feature either. Any Purge or Recover actions will count towards your regular key vault bill as it would anyway with soft-delete enabled.  

References

Azure Key Vault soft-delete
Soft-delete in Azure Key Vault allows you to recover deleted key vaults and key vault objects, such as keys, secrets, and certificates.
Azure Key Vault recovery overview
Key Vault Recovery features are designed to prevent the accidental or malicious deletion of your key vault and secrets, keys, and certificate stored inside key-vault.

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge