Description:
Azure Key Vault recoverability ensures that keys, secrets, and certificates can be restored after accidental deletion or disasters. Enabling soft-delete and purge protection allows recovery within a retention period and prevents permanent deletion until protection is disabled or retention expires.
Rationale:
Recoverability protects against accidental or malicious deletion. Soft-delete allows restoration within the retention period, and purge protection prevents permanent deletion, ensuring business continuity and compliance with standards like SOC 2, HIPAA, GDPR, and NIST.
Impact:
Deleted keys, secrets, and certificates can be recovered, but permanent deletion is not possible until the retention period expires once purge protection is enabled.
Default Value:
Soft delete is always enabled for Azure Key Vault and cannot be disabled. Purge protection is disabled by default unless enforced by policy.
Pre-requisites:
An existing Azure Key Vault
Permissions to modify Key Vault properties
Test Plan:
Sign in to the Azure Portal at https://portal.azure.com
Navigate to Key Vaults and select the applicable Key Vault.
Open Properties under Settings.
Verify that Soft delete is enabled.
Verify that Purge protection is enabled.
If not enabled, follow the implementation steps, mark the check as Fail.
Implementation steps:
Sign in to the Azure Portal at https://portal.azure.com
Navigate to Key Vaults and select the required Key Vault.
Open Properties under Settings.
Locate Purge protection and enable it.
Save the configuration
Backout Plan:
There is no backout plan. Once purge protection is enabled on an Azure Key Vault, it cannot be disabled until the retention period expires.
References:
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete#purge-protection