Enable Soft-Deletion/Purge on a Key vault
To enable via Azure CLI:
az keyvault update --name MyVault --resource-group Test --enable-purge-protection true
Via Azure Portal:
- Select the Key vault > Properties blade
- Select Soft-delete [Enabled, define retention (default is 90 days) period and purge protection [Enabled]
Removing a Key vault via PowerShell:
- If soft-deletion/purge protection hasn'tbeen enabled, the Key vault and all secrets/keys cannot be restored!
- If soft-deletion/purge protection is enabled, the entire vault can be restored within the defined retention period (default is 90 days)
Remove-AzKeyVault -VaultName 'MyVault'
Restoring a deleted Key vault via PowerShell:
Note: When deleted the Key vault has been restored, all secrets/keys upon deletion will also be restored, including access policies.
- List the deleted Key vault:
Get-AzKeyVault -InRemovedState
- Restore the deleted Key vault:
Undo-AzKeyVaultRemoval -VaultName 'MyVault' -ResourceGroupName 'Test' -Location 'eastus'
- Confirm the restore:
Get-AzKeyVault -VaultName MyVault
Deleteing a Key Vault (with purge protect enabled):
Enabling Purge Protection is irreversible; the deleted vault will be purged by its specified purge time.
Disabling BitLocker:
- From PowerShell or Azure CloudShell, run:
Disable-AzVMDiskEncryption -ResourceGroupName 'Servers' -VMName 'test1'
- If the above fails, uninstall the 'AzureDiskEncryption' extension. If there's a delay and failure in uninstalling this extension, re-try.
- Re-run the Disable-AzVMDiskEncryption command, which'll reboot the VM
- Run the following command to monitor the BitLocker decryption process:
manage-bde -status