Share via

Protect Key vault from deletion - CMK

MS Techie 2,751 Reputation points
2023-02-13T16:08:42.5566667+00:00

For Azure managed disks, we are thinking of having Encryption with Customer Managed Keys . We have several disks over Azure 130 subscriptions

https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption

  1. From the above microsoft URL , i understand that we need to create 1 DiskEncryptionSet per subscription and we can have 1 Key vault in a common subscription , which can be used to hold all CMK keys for the several Managed disks. Is my understanding correct ?

Now assuming that soft delete is disabled and someone deletes the Key Vault , then we cannot start up the VMs which have their encyrption keys associated with a single Key Vault. 2) What options do we have salvage this kind of situation. ? One option that i can think of is enabling soft-delete on the keyvault ,which retains data for 90 days. What other security options do i have

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,542 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Toks O 0 Reputation points
    2023-02-16T00:23:07.83+00:00

    You should enable soft-delete and purge protection on your key vaults. This is such a "must have" that Microsoft will remove the ability to opt-out of soft delete in 2025.

    If you don't have soft delete enabled and manage to delete the key vault, you will only be able to recover if you have an alternate backup of the encryption key contain in the key vault. Without this there will be no way to recover access to the encrypted disks.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.