Sysadmin Central

,

Azure Key Vaults Made Safer: How to Enable Soft-Delete and Purge Protection

Published by

Shaun Wilkinson

on

Azure Key Vaults Made Safer: How to Enable Soft-Delete and Purge Protection

Azure Key Vaults are a critical service for securely storing and managing sensitive information like secrets, keys, and certificates.

However, ensuring these assets remain protected against accidental or malicious deletion is equally important. That’s where Soft-Delete and Purge Protection come into play.

These features provide safeguards for your Key Vaults, ensuring you can recover deleted key vaults.

Understanding Soft-Delete and Purge Protection

Soft-Delete

Soft-Delete ensures that deleted items in a Key Vault, such as keys, secrets, or certificates, are recoverable for a retention period (by default for 90 days). This acts as a safeguard against accidental deletions or configuration errors.

Since 2019, Microsoft has enabled Soft-Delete by default for all newly created Azure Key Vaults, but it may still be disabled on older Key Vaults.

Purge Protection

Purge Protection builds upon Soft-Delete by preventing the permanent deletion of Key Vaults or their contents during the retention period (called purging). Even a user or process with high-level permissions cannot purge data if this feature is enabled. This makes it a vital defense mechanism against intentional or unintentional destructive actions.

Unlike Soft-Delete, this option must be manually enabled upon creation of each Key Vault.

Why You Should Enable These Features

1. Compliance with Security Standards

Enabling Soft-Delete and Purge Protection helps you align with industry security standards and regulations like ISO 27001, GDPR, and others. These measures demonstrate due diligence in protecting sensitive data.

2. Risk Mitigation

Accidents happen. Whether due to misconfigured scripts, unintentional clicks, or even insider threats, the risk of deletion is ever-present.

These risks are significantly mitigated by ensuring that the available protections are in place.

3. Seamless Recovery

Recovering a mistakenly deleted secret, key, or certificate is straightforward with Soft-Delete enabled. Without it, data loss could result in significant operational downtime or the need to redeploy applications and secrets.

How to Enable Soft-Delete and Purge Protection

1. Using Azure Portal

For a visual and user-friendly approach, you can enable these features directly in the Azure Portal.

Steps:

  1. Navigate to the Key Vault in the Azure Portal.
  2. Under Settings, go to Properties.
  3. Enable both Soft Delete and Purge Protection.
  4. Save your changes.

This method is ideal for small-scale deployments or environments where manual configuration is sufficient.

2. Using Azure CLI

The Azure CLI provides a quick method to enable these features from the command line.

az keyvault update --name <KeyVaultName> --resource-group <ResourceGroup> --enable-purge-protection true --enable-soft-delete true

This is useful for administrators who prefer scripting over using the Azure Portal.

3. Using PowerShell (for Bulk Updates)

For organizations managing multiple Key Vaults across different subscriptions or resource groups, automating the process with PowerShell is likely the most efficient method.

The script below shows you a way of enabling the features globally, you will likely want to update this to limit it to non-development environments however.

Connect-AzAccount

$subscriptions = Get-AzSubscription

foreach ($subscription in $subscriptions) {
    Get-AzSubscription -SubscriptionName $subscription.Name -WarningAction SilentlyContinue | Set-AZContext -WarningAction SilentlyContinue

    # Get all Key Vaults in the resource group
    $keyVaults = Get-AzKeyVault

    foreach ($keyVault in $keyVaults) {
        Write-Output "Processing Key Vault: $($keyVault.VaultName)"
        
        ## Enable Soft-delete and Purge Protection
        $resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName $keyVault.VaultName).ResourceId

        $resource.Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "True"
        $resource.Properties | Add-Member -MemberType "NoteProperty" -Name "enablePurgeProtection" -Value "True"

        Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties -force -Verbose
    }
}

Validation

After enabling these features, it’s essential to validate that they are correctly configured.

1. Using the Azure Portal

In the Properties section of each Key Vault, verify that Soft Delete and Purge Protection are enabled.

An example showing purge protection being enabled

2. Using PowerShell

Run the following command to confirm the settings:

Get-AzKeyVault -VaultName <KeyVaultName> | Select-Object VaultName, EnableSoftDelete, EnablePurgeProtection

Conclusion

By enabling these features, you enhance the security and reliability of your Azure environment, ensuring your critical secrets, keys, and certificates are always protected.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hello,

I’m Shaun Wilkinson

| Azure MVP
| Tech Blogger
| Isle of Skye Trig Point Enthusiast

Let’s connect

Join the fun!

Join my newsletter to stay up-to-date with all things Azure!

Recent posts

Categories

Design a site like this with WordPress.com
Get started