What are Azure Key Vault's soft-delete and purge protection features?

Question

Please explain how Azure Key Vault's soft-delete and purge protection features work. How can I recover vaults that have been soft-deleted? Why do I need to enable soft-delete in order to use purge protection?

Note: As we migrate from MSDN, this question has been posted by an Azure Cloud Engineer as a frequently asked question] Source:
How to use Key Vault soft-delete with PowerShell
How to use Key Vault soft-delete with CLI

Answer 1

Azure key vault’s soft-delete feature allows the recovery of the deleted vaults and objects (keys, secrets, certificates). When enabled, resources marked as deleted are retained for a specified period (default 90 days) and during this time the service provides mechanism for recovering the deleted object.

Soft delete is by default ON during Key Vault creation with default retention period of 90 days. The retention policy can be changed from 7 to 90 days through Azure portal during Azure Key Vault creation. The purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed.

Purge protection is an optional feature of Azure Key Vault which is disabled by default. Purge protection can only be enabled once soft delete is enabled for the key vault. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.

Source:
How to use Key Vault soft-delete with PowerShell
How to use Key Vault soft-delete with CLI

Answer 2

Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete.

Soft delete helps to recover data when it is erroneously modified or deleted by an application or other storage account user. When data is deleted, it transitions to a soft deleted state instead of being permanently erased. When soft delete is on and we overwrite data, a soft deleted snapshot is generated to save the state of the overwritten data.

When creating a new key vault, soft-delete is on by default. Once soft-delete is enabled on a key vault it cannot be disabled.

The default retention period is 90 days but, during key vault creation, it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. The purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed.

Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. Most Azure services that integrate with Azure Key Vault, such as Storage, require purge protection to prevent data loss.
In the screenshow below you can see the highlighted comment by azure at the bottom. I created azure key vault in my storage account and azure displays a message that "**Both soft delete and purge protection will be enable din the key vault and cannot be disabled."

Source:
Azure key vault and purge protection overview

How to encrypt data in Azure key Vault?

How to work with Soft Delete in Azure?

Answer 3

Adding some more information specific to purge...

Purge means delete. Azure gives you the ability to delete the deleted secret permanently. If the purge protection is enabled then you cannot delete the deleted secret.

Example - If you delete a file in Windows then it goes to the recycle bin and you have the option to empty your recycle bin. Imagine if you did not have permission to empty your bin, that's what purge protection does.