In this post, we will be looking at purging options to permanently delete a Key Vault and fully erase all the secrets, keys, and certificates in it. Sometimes destroying data properly is as important as keeping it secure. We all know that there are some cases in which the data is actually not deleted completely, even if we think it is. Key Vaults in Azure are a good example of this.
Latest posts by Baki Onur Okutucu (see all)

Soft-delete and Purge Protection ^

Soft-delete is a Key Vault feature that allows us to recover deleted keys, secrets, and certificates, as well as the entire set of Key Vault resources within the retention period, which can be configured to between 7 and 90 days.

When you create a Key Vault in Azure Portal, soft-delete is enabled by default, and you cannot disable it. This means that every Key Vault has to be created with soft-delete enabled. It is also important to note that the name used on the soft-deleted Key Vault cannot be reused with a new Key Vault until the retention period is finished.

Soft delete is enabled by default on Key Vaults

Soft delete is enabled by default on Key Vaults

Purge protection is another feature of Key Vaults that is used to protect deleted Key Vaults for a certain period, called the "retention period." Once enabled, purge protection prevents deleted key vaults from being purged until the retention period has been reached. This selection cannot be changed once the Key Vault is created.

If a Key Vault is created with purge protection, you can still delete it, but you will not be able to purge it once it is deleted. In this case, the deleted Key Vaults will have to wait for 90 days to pass to be permanently purged.

Purging a deleted Key Vault ^

To purge a Key Vault, we first need to make sure that the Key Vault has already been deleted. That is, the Key Vault should be deleted first, using the command below, and then purged afterwards.

Remove-AzKeyVault -VaultName testvault2000 -Location 'West Europe' -Force

Now, we can move on to the next step, which is to purge the deleted Key Vault. First, we need to make sure that purge protection is not enabled on the Key Vault to be purged. Key Vaults can be either purged or recovered in the main Key Vaults section in Azure Portal, where deleted Key Vaults are also displayed.

Deleted kay vaults can be seen in Azure Portal

Deleted kay vaults can be seen in Azure Portal

The purge option can only be used when the Key Vault is not protected with purge protection.

Recover and purge operations in Azure Portal

Recover and purge operations in Azure Portal

If you try to purge a protected Key Vault in Azure Portal, you'll get the following error.

Failed to purge key vault "testvault3000" of subscription "2021." Operation 'deletedvaultpurge' is not allowed. Please check if this vault has purge protection turned on, and make sure you have the correct permissions.

Error message when trying to purge a protected key vault in Azure Portal

Error message when trying to purge a protected key vault in Azure Portal

If you try to do the same via PowerShell, you'll get this:

Remove-AzKeyVault -VaultName testvault2000 -InRemovedState -Force -Location 'West Europe'

Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed

Error message when trying to purge a protected key vault via PowerShell

Error message when trying to purge a protected key vault via PowerShell

Permission model on Key Vaults ^

When it comes to managing Key Vaults for any operation, there are two permission models that need to be followed. Resource permissions grant a user, group, or service principal access over an Azure Resource such as a storage account, Key Vault, virtual machine, database, etc.

  1. RBAC permissions: Regular Azure resource permissions, such as Contributor, Reader, Owner, Key Vault Contributor, etc. This is needed to access and manage the actual Key Vault resource in Azure.
  2. Access Policy permissions: Even if you have Owner permission on a Key Vault, you still need Access Policy permissions for each item (e.g., keys, secrets, etc.). Each item has its own set of permissions defined in the Access Policy section.

Note that to perform a purge operation on a Key Vault, the user account that you're currently logged in with needs the following resource permissions on the Key Vault object before purging it. "Owner," "Contributor," and "Key Vault Contributor" built-in roles have this permission by default.

Microsoft.KeyVault/locations/deletedVaults/purge/action

Here is an example of Key Vault resource permissions. If I need a Key Vault Secret User role to perform some specific action, then I can simply assign that role to the user on the target resource.

Example of Key Vault resource permissions

Example of Key Vault resource permissions

Purging a deleted secret, key, or certificate ^

Once a Key Vault is soft-deleted, which is the default behavior, all the items in the Key Vault, such as secrets, keys, and certificates, are also enabled for soft-delete as well. Thus, we can also recover or purge these items unless purge protection is enabled on the Key Vault.

Soft delete is enabled automatically on all items in a Key Vault

Soft delete is enabled automatically on all items in a Key Vault

If you try to purge a secret in a protected Key Vault, you'll get the error below. This also applies to keys and certificates.

Remove-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'

Code: Forbidden

Message: The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=7d00fe23-0864-4cb8-8877-c7572e51f6f9;numgroups=4;iss=https://sts.windows.net/849e8524-4433-4b03-aea4-b2dd81e72401/' does not have secrets purge permission on key vault 'testvault4000;location=westeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

image8

image8

Purge protection prevents the items in Key Vaults from being purged

The following resource permissions are needed in advance to purge these items in Key Vaults:
Item
Permission
The built-in role to cover this permission

ItemPermissionThe built-in role to cover this permission
CertificatesMicrosoft.KeyVault/vaults/certificates/purge/action

 

Key Vault Certificates Officer

Contributor

Owner

KeysMicrosoft.KeyVault/vaults/keys/purge/action

 

Key Vault Crypto Officer

Contributor

Owner

SecretsMicrosoft.KeyVault/vaults/secrets/purge/actionKey Vault Secrets Officer

Contributor

Owner

In addition to the above resource permissions, purge operations need to be enabled for each item in the Access Policies section of the Key Vault. Otherwise, the following error will occur when you try to purge secrets, keys, or certificates within a Key Vault:

Purge operation permission in Access Policies needs to be granted beforehand

Purge operation permission in Access Policies needs to be granted beforehand

The purge operation can be enabled on each item by selecting the Purge permission from the dropdown box, as shown below.

Purge is a privileged operation that needs to be explicitly enabled in the access policy of the Key Vault

Purge is a privileged operation that needs to be explicitly enabled in the access policy of the Key Vault

Once both the resource permissions and access policies are configured, the purge operation can be performed.

The following commands can be used to purge the keys, secrets, and certificates on a Key Vault with no purge protection:

Remove-AzKeyVaultSecret -VaultName testvault2000 -Name secret1 -Force -InRemovedState
Remove-AzKeyVaultKey -VaultName testvault2000 -Name key1 -Force -InRemovedState
Remove-AzKeyVaultCertificate -VaultName testvault2000 -Name certificate1 -Force -InRemovedState

Conclusion ^

Key Vaults are heavily used resources in Azure. With recent changes, they are protected by default by the soft-delete feature. Although purge protection can also be enabled for additional data protection or compliance purposes, purging unnecessary Key Vault data might be needed in some cases. PowerShell can easily perform these operations on Key Vaults.

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account