Azure Key Vault recover keys, secrets and certificates

Enable Soft-delete for Key Vault to be able to recover from disaster, recover keys, secrets, certificates or the whole Key Vault on accedental deletion.

Dca4x9OXUAADmh8Last week we had an incident in which we had deleted the wrong secret from our Azure Key Vault. After some research we found that it could have been recovered if we had used the Soft-delete in Key Vault. However, we did not know about this option and could not recover the item.

Soft-delete is an optional Key Vault behavior and is not enabled by default in this release.

In this blog post I’ll show how to enable Soft-delete and how to recover the deleted items.

Soft-delete
Soft-delete will give you support for recoverable deletion of key vault objects; keys, secrets, and, certificates in you Key Vault. You can recover the key vault itself (when deleted) or deleted resources in the Key Vault. It is just an extra protection besides the locks you can already make to prevent accidental deletion.

Deployment: ARM Templates
When deploying a Key Vault with a ARM template, you can add the property enableSoftDelete in properties to enable Soft-delete.

  "resources": [
    {
      "apiVersion": "2015-06-01",
      "name": "[variables('vaultName')]",
      "location": "[resourcegroup().location]",
      "type": "Microsoft.KeyVault/vaults",
      "properties": {
        "enableSoftDelete": "true",
        ....

Deployment: Powershell
When using Powershell as deployment tool, you can add the option on creation:

New-AzureRmKeyVault -VaultName "ContosoVault" -ResourceGroupName "ContosoRG" -Location "westus" -EnableSoftDelete

or you can enable it on an existing Key Vault with:

($resource = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -VaultName "ContosoVault").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
Set-AzureRmResource -resourceid $resource.ResourceId -Properties $resource.Properties

Deployment: CLI
You also can enable the option with the CLI:

az keyvault create --name ContosoVault --resource-group ContosoRG --enable-soft-delete true --location westus

or you can enable it on an existing Key Vault with:

az resource update --id $(az keyvault show --name ContosoVault -o tsv | awk '{print $1}') --set properties.enableSoftDelete=true

Powershell
If you have deleted your Key Vault that had Soft-delete enabled, you can list the deleted Key Vaults by:

Get-AzureRmKeyVault -InRemovedStateVault

To recover the Key Vault:

Undo-AzureRmKeyVaultRemoval -VaultName ContosoVault -ResourceGroupName ContosoRG -Location westus

The procedure for keys, secrets and certificates is almost the same:

Get-AzureKeyVaultKey -VaultName ContosoVault -InRemovedState
Undo-AzureKeyVaultKeyRemoval -VaultName ContosoVault -Name ContosoFirstKey
Get-AzureKeyVaultSecret -VaultName ContosoVault -InRemovedState
Undo-AzureKeyVaultSecretRemoval -VaultName ContosoVault -Name SQLPassword
Get-AzureKeyVaultCertificate -VaultName ContosoVault -InRemovedState
Undo-AzureKeyVaultCertificateRemoval -VaultName ContosoVault -Name MyCertificate

For permanent deletion, you can use the option ‘-InRemovedState’ to remove a Key Vault, keys or secrets that were already soft deleted.

Remove-AzureRmKeyVault -VaultName ContosoVault -InRemovedState -Location westus
Remove-AzureKeyVaultKey -VaultName ContosoVault -Name ContosoFirstKey -InRemovedState
Remove-AzureKeyVaultSecret -VaultName ContosoVault -InRemovedState -name SQLPassword
Remove-AzureKeyVaultCertificate -VaultName ContosoVault -InRemovedState -name MyCertificate

CLI
If you have deleted your Key Vault that had Soft-delete enabled, you can list the deleted Key Vaults by:

az keyvault list-deleted

To recover the Key Vault:

az keyvault recover --location westus --name ContosoVault

The procedure for keys, secrets and certificates is almost the same:

az keyvault key list-deleted --vault-name ContosoVault
az keyvault key recover --name ContosoFirstKey --vault-name ContosoVault
az keyvault secret list-deleted --vault-name ContosoVault
az keyvault secret recover --name SQLPassword --vault-name ContosoVault
az keyvault certificate list-deleted --vault-name ContosoVault
az keyvault certificate recover --name MyCertificate --vault-name ContosoVault

For permanent deletion, you can use the option ‘purge’ to remove a Key Vault, keys or secrets that is already soft deleted.

az keyvault purge --location westus --name ContosoVault
az keyvault key purge --name ContosoFirstKey --vault-name ContosoVault
az keyvault secret purge --name SQLPAssword --vault-name ContosoVault
az keyvault certificate purge --name MyCertificate --vault-name ContosoVault

Finally
When deleting an object on a Key Vault that has Soft-delete enabled, the object is retained for 90 days. That is probably long enough in most scenarios, to allow recovery. If we had this option enabled, we would have saved a lot of time on redeployment of our resources. A simple CLI or Powershell statement would have saved our day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.