I can't access my database! I deleted my "Azure Key Vault" / "key" and the TDE doesn't work.
Published Jan 03 2023 01:46 AM 1,642 Views
Microsoft

If we have a Customer-managed TDE (Transparent Data Encryption) and we delete by mistake the entire "Azure Key Vault" or just the "Key" object, the database will be inaccessible:

hugo_sql_0-1671626677516.png

 

hugo_sql_3-1671626869827.png

Don't worry, this problem is solvable. Every "Azure Key Vault" or its "keys"/"secrets"/"certificates" objects have the "soft-delete" feature enabled, so if you delete any of these elements, Azure keeps a backup copy of them for 90 days:

 

Azure Key Vault soft-delete | Microsoft Learn

 

hugo_sql_4-1671627061721.png

 

hugo_sql_5-1671627261846.png

We need to recover the "Azure Key Vault" (AKV) or the Key object. We can follow these steps in the Azure Portal:

 

Case 1 - [ Deleted key object]

 

Go to the Azure Key Vault and select "Keys" objects and then click on "Manage deleted Keys":

 

hugo_sql_0-1671634545446.png

Select the "key" object that you want to recover and then click on "Recover":

 

hugo_sql_1-1671634728074.png

 

The recovery takes a few seconds:

 

hugo_sql_2-1671634866005.png

 

Once access to the key is restored, taking the database back online requires extra time and steps, which may vary based on the time elapsed without access to the key and the size of the data in the database. If key access is restored within 30 minutes, the database will autoheal within the next hour. If key access is restored after more than 30 minutes, autoheal isn't possible, and bringing back the database requires extra steps on the portal and can take a significant amount of time depending on the size of the database. Once the database is back online, previously configured server-level settings such as failover group configuration, point-in-time-restore history, and tags will be lost. 

 

Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance...

 

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

hugo_sql_0-1671635789275.png

 

hugo_sql_1-1671636092650.png

 

And now the database is online again:

 

hugo_sql_2-1671636253035.png

 

You can also restore the "key" object through PowerShell and CLI:

 

[PowerShell]

 

 

Connect-AzAccount

#List all deleted keys in a key vault

Get-AzKeyVaultKey -VaultName myAKVtest -InRemovedState

#To recover a soft-deleted key

Undo-AzKeyVaultKeyRemoval -VaultName myAKVtest -Name myTDEkey

 

 

List all deleted keys in a key vault

To recover a soft-deleted key

 

[CLI]

 

 

List all deleted keys in a key vault
az keyvault key list-deleted --vault-name myAKVtest

To recover a soft-deleted key
az keyvault key recover --vault-name myAKVtest --name myTDEkey

 

 

List all deleted keys in a key vault

To recover a soft-deleted key

 

Case 2 - [ Deleted Azure Key Vault ]

 

If you have deleted the whole "Azure Key Vault" you can restore it, to do this you have to go to the main blade of the "Azure Key Vault" resources and click on "Manage deleted vaults":

 

hugo_sql_0-1671636770968.png

 

Select the subscription, then the "Azure Key Vault" you want to restore, and click on the button "Recover":

 

hugo_sql_3-1671637243532.png

 

The recovery process takes a few seconds:

 

hugo_sql_2-1671637159304.png

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

hugo_sql_1-1671638354007.png

And the TDE is working again:

hugo_sql_2-1671638503394.png

 

hugo_sql_3-1671638731347.png

 

hugo_sql_4-1671638804067.png

 

You can also restore the "Azure Key Vault" resource through PowerShell  and CLI:

 

[PowerShell]

 

 

Connect-AzAccount

#List all soft-deleted key vaults
Get-AzKeyVault -InRemovedState

#Recover soft-deleted key-vault
Undo-AzKeyVaultRemoval -VaultName myAKVtest -ResourceGroupName rgHCtest -Location westeurope

 

 

List all soft-deleted key vaults

Recover soft-deleted key-vault

 

[CLI]

 

 

List all soft-deleted key vaults

az keyvault list-deleted --resource-type vault


Recover soft-deleted key-vault

az keyvault recover --location westeurope --name myAKVtest --resource-group rgHCtest

 

 

List all soft-deleted key vaults

Recover soft-deleted key-vault

 

If we deleted the key object or the Azure Key vault more than 30 minutes ago, the only way to revalidate the TDE is through the Azure Portal or Rest API.

 

I hope this step-by-step guide will be helpful.

 

 

 

 

 

 

 

 

 

 

 

 

 

Co-Authors
Version history
Last update:
‎Jan 03 2023 01:22 AM
Updated by: