Key Vault: Support for Disabling Purge Protection

[tombuildsstuff]

👋🏻

We're looking to support Disk Encryption Sets in Terraform - which requires Key Vault to have both Soft Delete and Purge Protection enabled. Whilst it's possible to disable Soft Delete - at this point in time it's not possible to disable Purge Protection - see this Request/Response below:

Request:

PUT /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tom-kv-purge/providers/Microsoft.KeyVault/vaults/tom-kv-purgeprotection?api-version=2016-10-01

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tom-kv-purge/providers/Microsoft.KeyVault/vaults/tom-kv-purgeprotection",
  "name": "tom-kv-purgeprotection",
  "type": "Microsoft.KeyVault/vaults",
  "location": "westeurope",
  "tags": {},
  "properties": {
    "sku": {
      "family": "A",
      "name": "Standard"
    },
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "Decrypt",
            "Encrypt"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "Purge"
          ],
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ]
        }
      }
    ],
    "enabledForDeployment": false,
    "enabledForDiskEncryption": false,
    "enabledForTemplateDeployment": false,
    "enableSoftDelete": true,
    "enableRbacAuthorization": false,
    "enablePurgeProtection": false,
    "vaultUri": "https://tom-kv-purgeprotection.vault.azure.net/",
    "provisioningState": "Succeeded"
  }
}

Response:

{
  "error": {
    "code": "BadRequest",
    "message": "The property \"enablePurgeProtection\" cannot be set to false. Enabling the purge protection for a vault is an irreversible action."
  }
}

Whilst in retrospect this doesn't block us immediately, since it's still possible to delete the Key Vault - is there a timeline for when it'll be possible to Disable Purge Protection for an Azure Key Vault?

Thanks!

[tombuildsstuff]

@akning-ms is there a timeline for when this'll become available? cc @WodansSon

[akning-ms]

@akning-ms is there a timeline for when this'll become available? cc @WodansSon
ping service team. Hi @schaabs . can you reply @tombuildsstuff?

[omeryesil]

We also need to disable the purge protection.

I think from Azure API site, when a KV is deleted, it should release the name including DNS(?), and may be name the deleted KV something like "[kvname]-deleted" (or different variation), so that it doesn't lock the name as it is globally unique.

And when you want to recover, ask for a new name if the original one is not available;
az keyvault recover --n [kvNameToRecover] --new-name [newName]

[jturver1]

For me Keyvault with Purge Protection is a critical security and Business Continuity feature. It should only be enabled with care on Keyvault instances which are critical enough to warrant sustaining the additional cost or other inconveniences incurred through the Purge Protection time period after deletion.

On that basis, my view is that the API and capability should not be reconfigured to allow users of any type to disable Purge Protection.

If anything, perhaps permanent Keyvault deletion where Purge Protection is enabled could be something that is requested via a support channel, and only via the designated Account Owner for the subscription in question?

[jlichwa]

It is as designed, purge protection is irreversible. Otherwise hacker would be able to delete your key vault without option to recover. #please-close

[byteknacker]

This adds a lot of complications to automating Azure. I am using Terraform to provision Azure resources and I am always getting stuck at the purge protection and soft delete feature of Key Vault. It is just not programmatic. There should be a solution designed where it is secure and yet, you can have a idempotent Terraform pipeline that can delete and recreate the Key Vault without erroring out with "key already exists", "cannot purge KV because purge protection is enabled". The protection against potential hackers deleting a key on Key Vault does not outweigh the inability to scale and automate Azure. There are other mechanisms to back up your secrets. You can do it with another KV in parallel in a different subscription of tenant, you can make local copies, you can have another Azure PaaS that deals with automatic KV backup. But KV itself should be programmable.

I highly urge Azure developers to implement the option to disable purge protection perhaps also soft delete.

[atroiano-glue]

Any update on this? Would be great to have this in Terraform.