- Article
- 7 minutes to read
Important
You must enable soft-delete on your key vaults immediately. The ability to opt out of soft-delete is deprecated and will be removed in February 2025. See full details here
Important
When a Key Vault is soft-deleted, services that are integrated with the Key Vault will be deleted. For example: Azure RBAC roles assignments and Event Grid subscriptions. Recovering a soft-deleted Key Vault will not restore these services. They will need to be recreated.
Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete. Specifically, we address the following scenarios: This safeguard offer the following protections:
- Once a secret, key, certificate, or key vault is deleted, it will remain recoverable for a configurable period of 7 to 90 calendar days. If no configuration is specified the default recovery period will be set to 90 days. This provides users with sufficient time to notice an accidental secret deletion and respond.
- Two operations must be made to permanently delete a secret. First a user must delete the object, which puts it into the soft-deleted state. Second, a user must purge the object in the soft-deleted state. The purge operation requires additional access policy permissions. These additional protections reduce the risk of a user accidentally or maliciously deleting a secret or a key vault.
- To purge a secret in the soft-deleted state, a service principal must be granted an additional "purge" access policy permission. The purge access policy permission is not granted by default to any service principal including key vault and subscription owners and must be deliberately set. By requiring an elevated access policy permission to purge a soft-deleted secret, it reduces the probability of accidentally deleting a secret.
Supporting interfaces
The soft-delete feature is available through the REST API, the Azure CLI, Azure PowerShell, and .NET/C# interfaces, as well as ARM templates.
Scenarios
Azure Key Vaults are tracked resources, managed by Azure Resource Manager. Azure Resource Manager also specifies a well-defined behavior for deletion, which requires that a successful DELETE operation must result in that resource not being accessible anymore. The soft-delete feature addresses the recovery of the deleted object, whether the deletion was accidental or intentional.
In the typical scenario, a user may have inadvertently deleted a key vault or a key vault object; if that key vault or key vault object were to be recoverable for a predetermined period, the user may undo the deletion and recover their data.
(Video) DevOps Tips & Tricks - 2 - Soft Delete, Recover and Purge - Azure KeyvaultIn a different scenario, a rogue user may attempt to delete a key vault or a key vault object, such as a key inside a vault, to cause a business disruption. Separating the deletion of the key vault or key vault object from the actual deletion of the underlying data can be used as a safety measure by, for instance, restricting permissions on data deletion to a different, trusted role. This approach effectively requires quorum for an operation which might otherwise result in an immediate data loss.
Soft-delete behavior
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
When creating a new key vault, soft-delete is on by default. Once soft-delete is enabled on a key vault it cannot be disabled.
The default retention period is 90 days but, during key vault creation, it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. The purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed.
You cannot reuse the name of a key vault that has been soft-deleted until the retention period has passed.
Purge protection
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell. Purge protection is recommended when using keys for encryption to prevent data loss. Most Azure services that integrate with Azure Key Vault, such as Storage, require purge protection to prevent data loss.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.
Permitted purge
Permanently deleting, purging, a key vault is possible via a POST operation on the proxy resource and requires special privileges. Generally, only the subscription owner will be able to purge a key vault. The POST operation triggers the immediate and irrecoverable deletion of that vault.
Exceptions are:
- When the Azure subscription has been marked as undeletable. In this case, only the service may then perform the actual deletion, and does so as a scheduled process.
- When the
--enable-purge-protectionargument is enabled on the vault itself. In this case, Key Vault will wait for 90 days from when the original secret object was marked for deletion to permanently delete the object.
For steps, see How to use Key Vault soft-delete with CLI: Purging a key vault or How to use Key Vault soft-delete with PowerShell: Purging a key vault.
Key vault recovery
Upon deleting a key vault, the service creates a proxy resource under the subscription, adding sufficient metadata for recovery. The proxy resource is a stored object, available in the same location as the deleted key vault.
Key vault object recovery
Upon deleting a key vault object, such as a key, the service will place the object in a deleted state, making it inaccessible to any retrieval operations. While in this state, the key vault object can only be listed, recovered, or forcefully/permanently deleted. To view the objects, use the Azure CLI az keyvault key list-deleted command (as documented in How to use Key Vault soft-delete with CLI), or the Azure PowerShell Get-AzKeyVault -InRemovedState command (as described in How to use Key Vault soft-delete with PowerShell).
At the same time, Key Vault will schedule the deletion of the underlying data corresponding to the deleted key vault or key vault object for execution after a predetermined retention interval. The DNS record corresponding to the vault is also retained for the duration of the retention interval.
Soft-delete retention period
Soft-deleted resources are retained for a set period of time, 90 days. During the soft-delete retention interval, the following apply:
- You may list all of the key vaults and key vault objects in the soft-delete state for your subscription as well as access deletion and recovery information about them.
- Only users with special permissions can list deleted vaults. We recommend that our users create a custom role with these special permissions for handling deleted vaults.
- A key vault with the same name cannot be created in the same location; correspondingly, a key vault object cannot be created in a given vault if that key vault contains an object with the same name and which is in a deleted state.
- Only a specifically privileged user may restore a key vault or key vault object by issuing a recover command on the corresponding proxy resource.
- The user, member of the custom role, who has the privilege to create a key vault under the resource group can restore the vault.
- Only a specifically privileged user may forcibly delete a key vault or key vault object by issuing a delete command on the corresponding proxy resource.
Unless a key vault or key vault object is recovered, at the end of the retention interval the service performs a purge of the soft-deleted key vault or key vault object and its content. Resource deletion may not be rescheduled.
Billing implications
In general, when an object (a key vault or a key or a secret) is in deleted state, there are only two operations possible: 'purge' and 'recover'. All the other operations will fail. Therefore, even though the object exists, no operations can be performed and hence no usage will occur, so no bill. However there are following exceptions:
- 'purge' and 'recover' actions will count towards normal key vault operations and will be billed.
- If the object is an HSM-key, the 'HSM Protected key' charge per key version per month charge will apply if a key version has been used in last 30 days. After that, since the object is in deleted state no operations can be performed against it, so no charge will apply.
Next steps
The following three guides offer the primary usage scenarios for using soft-delete.
- How to use Key Vault soft-delete with Portal
- How to use Key Vault soft-delete with PowerShell
- How to use Key Vault soft-delete with CLI
FAQs
How do I permanently delete soft deleted Keyvault? ›
- Log in to the Azure portal.
- Select your key vault.
- Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
- At the top of the screen, click on "Manage deleted (keys, secrets, or certificates)
Select Manage deleted resources from the menu. Select the subscription in the dropdown list to locate the deleted resource you would like to purge. Select one or more deleted resources and click Purge.
How do I delete secrets in Azure key vault? ›az keyvault secret purge
Permanently deletes the specified secret. The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.
The most attractive advantage of soft deletion is that soft deleted data is easy to restore. Restoring data is as simple as changing the value of the flag field. In addition, soft deletion is faster than hard deletion because UPDATE operations in databases are generally faster than delete operations.
What is the purpose of soft delete? ›A soft delete marks a record as no longer active or valid without actually deleting it from the database. Soft deletes can improve performance, and can allow “deleted” data to be recovered. Did this article help you?
When to soft delete vs hard delete? ›Hard deletes are hard to recover from if something goes wrong (application bug, bad migration, manual query, etc.). This usually involves restoring from a backup and it is hard to target only the data affected by the bad delete. Soft deletes are easier to recover from once you determine what happened.
When should you soft delete? ›Typically if you're using a relational database, you might have foreign key constraints that prevent you from deleting rows to enforce data integrity. You don't want to have a reference to EmployeID123 in another table when it no longer exists.
What is protected by soft delete? ›Soft delete for VMs protects the backups of your VMs from unintended deletion. Even after the backups are deleted, they're preserved in soft-delete state for 14 additional days. Soft delete only protects deleted backup data. If a VM is deleted without a backup, the soft-delete feature won't preserve the data.
How do you handle soft delete? ›And implementing soft delete is easy! You just add the “Is_Deleted” or “Delete_Date” column to your tables (or attributes to your Document) and replace all delete statement invocations in your application code to updates. And yes, you need to modify all retrieve statements to take into account this new attribute.
How do I delete soft deleted files in Azure? ›- In the Azure portal, go to your vault, and then go to Settings -> Properties.
- In the properties pane, select Security Settings -> Update.
- In the security settings pane, under Soft Delete, select Disable.
What is soft delete in Azure Blob? ›
Blob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted.
What is soft delete in key vault? ›Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete.
How do I remove items from my vault? ›- Select a file or folder.
- From the Edit menu, select Delete. or. Right-click the file, and then select Delete. You are prompted to confirm deletion.
- Click Yes to delete the file or folder from the vault.
Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Is soft delete a good practice? ›In summary, using a soft delete pattern in your service is often a good idea, but it comes with design and implementation challenges. Make sure you understand the "how" and "why" and take extra time to develop and run test cases for each critical use case.
What files should I not delete? ›- Program files folder. ...
- WinSxS folder. ...
- System32 folder. ...
- Windows folder. ...
- System volume information folder. ...
- Swapfile. ...
- Pagefile.
A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365 admin center or the Remove-Mailbox cmdlet in Exchange Online PowerShell, and has still been in the Azure Active Directory (Azure AD) recycle bin for less than 30 days.
How do I know if soft DELETE is enabled? ›In the Azure portal, navigate to your storage account. Locate the Data protection settings under Data management. Select Enable soft delete for containers.
Why is it better to flag a record as deleted as to actually deleting the actual data? ›Pros of using a delete flag: You can get the data back later if you need it, Delete operation (updating the flag) is probably quicker than really deleting it.
When you soft DELETE an object in the database it is permanently deleted? ›1 Soft Delete and Hard Delete Defined. Java Client and Web Client support "soft" and "hard" deletes for many Agile object classes. When you soft-delete an object in the database, it is not permanently deleted. A soft-deleted object is marked "Deleted" in the database, and its object number or name is reserved.
Why delete is faster than copy? ›
When deleting a file, most Operating Systems will mark the file as deleted, but not actually remove the data from the hard drive. This allows for a fast delete as the OS just has to set one flag and not touch any of the data. When copying a file, data actually has to be duplicated in order to copy a file.
What is a dirty delete? ›Dirty deleting is when you comment on someone's post or make a post that causes people to correct you or ask you to rethink your stance.
Why delete is faster than truncate? ›TRUNCATE is faster than DELETE , as it doesn't scan every record before removing it. TRUNCATE TABLE locks the whole table to remove data from a table; thus, this command also uses less transaction space than DELETE . Unlike DELETE , TRUNCATE does not return the number of rows deleted from the table.
In what circumstances are deleting files useful? ›- Freeing the disk space.
- Removing duplicate or unnecessary data to avoid confusion.
- Making sensitive information unavailable to others.
- Removing an operating system or blanking a hard drive.
A common way to implement soft delete is to add a field that will indicate whether data has been deleted or not. This SQL command will permanently remove the product with id=1 from the table in the database. Note we added a new field called deleted. This field will contain the values 0 or 1.
Is file share protected by soft delete? ›Soft delete only works on a file share level - individual files that are deleted will still be permanently erased.
Which of the below delete option is efficient and safe for record deletion? ›TRUNCATE. TRUNCATE is a statement that will essentially remove all records from the table, just as if you had used DELETE without a WHERE clause. This means TRUNCATE will remove all records in your table, but its structure will remain intact.
What is the logic behind hard delete and soft delete? ›Soft deletes: marking data as deleted. Hard deletes: performing a DELETE on a table. An audit approach: moving a representation of the data to an audit log, then performing a hard delete.
Is blob soft delete enabled? ›Blob soft delete is enabled by default when you create a new storage account with the Azure portal. The setting to enable or disable blob soft delete when you create a new storage account is on the Data protection tab. For more information about creating a storage account, see Create a storage account.
Which of the following are benefits of using soft delete to remove rows from your application? ›The advantage of soft-delete concept is, as you never physically delete the data, there is no risk of loss of data when something goes wrong (with the delete action, not with your code). It's easy to get back the record by just changing the flag.
Where is soft delete in Azure? ›
In the Azure portal, go to your vault, and then go to Settings -> Properties. In the properties pane, select Security Settings -> Update. In the security settings pane, under Soft Delete, select Disable.
How do you implement a soft delete? ›And implementing soft delete is easy! You just add the “Is_Deleted” or “Delete_Date” column to your tables (or attributes to your Document) and replace all delete statement invocations in your application code to updates. And yes, you need to modify all retrieve statements to take into account this new attribute.
What is soft delete in Azure Recovery Vault? ›Soft delete primarily delays permanent deletion of backup data and gives you an opportunity to recover data after deletion. This deleted data is retained for a specified duration (14-180 days) called soft delete retention period.
What is difference between delete and soft delete? ›Hard vs soft deletes
A “hard” delete is when rows are deleted using DELETE FROM table WHERE ... A “soft” delete is when rows are deleted using UPDATE table SET deleted_at = now() WHERE ...
Soft deletes: marking data as deleted. Hard deletes: performing a DELETE on a table. An audit approach: moving a representation of the data to an audit log, then performing a hard delete.
When you soft delete an object in the database it is permanently deleted? ›1 Soft Delete and Hard Delete Defined. Java Client and Web Client support "soft" and "hard" deletes for many Agile object classes. When you soft-delete an object in the database, it is not permanently deleted. A soft-deleted object is marked "Deleted" in the database, and its object number or name is reserved.
How do I know if soft delete is enabled? ›In the Azure portal, navigate to your storage account. Locate the Data protection settings under Data management. Select Enable soft delete for containers.
How do I enable soft delete in Azure storage? ›- Check the Turn on soft delete for blobs configuration setting to enable the Soft Delete data protection feature for the selected storage account.
- Enter the optimal data retention period in the Keep deleted blobs for (in days) box. ...
- Click Save to apply the configuration changes.
The soft delete feature can be achieved by using the 'IEFSoftDelete' interface. By default, this interface is always added to the manager. Otherwise, you can add your own interface and trigger action to perform a soft delete.