I can’t access my database! I deleted my “Azure Key Vault” / “key” and the TDE doesn’t work.

Posted by

This post has been republished via RSS; it originally appeared at: Azure Database Support Blog articles.

If we have a Customer-managed TDE (Transparent Data Encryption) and we delete by mistake the entire "Azure Key Vault" or just the "Key" object, the database will be inaccessible:

hugo_sql_0-1671626677516.png

 

hugo_sql_3-1671626869827.png

Don't worry, this problem is solvable. Every "Azure Key Vault" or its "keys"/"secrets"/"certificates" objects have the "soft-delete" feature enabled, so if you delete any of these elements, Azure keeps a backup copy of them for 90 days:

 

Azure Key Vault soft-delete | Microsoft Learn

 

hugo_sql_4-1671627061721.png

 

hugo_sql_5-1671627261846.png

We need to recover the "Azure Key Vault" (AKV) or the Key object. We can follow these steps in the Azure Portal:

 

Case 1 - [ Deleted key object]

 

Go to the Azure Key Vault and select "Keys" objects and then click on "Manage deleted Keys":

 

hugo_sql_0-1671634545446.png

Select the "key" object that you want to recover and then click on "Recover":

 

hugo_sql_1-1671634728074.png

 

The recovery takes a few seconds:

 

hugo_sql_2-1671634866005.png

 

Once access to the key is restored, taking the database back online requires extra time and steps, which may vary based on the time elapsed without access to the key and the size of the data in the database. If key access is restored within 30 minutes, the database will autoheal within the next hour. If key access is restored after more than 30 minutes, autoheal isn't possible, and bringing back the database requires extra steps on the portal and can take a significant amount of time depending on the size of the database. Once the database is back online, previously configured server-level settings such as failover group configuration, point-in-time-restore history, and tags will be lost. 

 

Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn

 

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

hugo_sql_0-1671635789275.png

 

hugo_sql_1-1671636092650.png

 

And now the database is online again:

 

hugo_sql_2-1671636253035.png

 

You can also restore the "key" object through PowerShell and CLI:

 

[PowerShell]

 

 

Connect-AzAccount #List all deleted keys in a key vault Get-AzKeyVaultKey -VaultName myAKVtest -InRemovedState #To recover a soft-deleted key Undo-AzKeyVaultKeyRemoval -VaultName myAKVtest -Name myTDEkey

 

 

List all deleted keys in a key vault

To recover a soft-deleted key

 

[CLI]

 

 

List all deleted keys in a key vault az keyvault key list-deleted --vault-name myAKVtest To recover a soft-deleted key az keyvault key recover --vault-name myAKVtest --name myTDEkey

 

 

List all deleted keys in a key vault

To recover a soft-deleted key

 

Case 2 - [ Deleted Azure Key Vault ]

 

If you have deleted the whole "Azure Key Vault" you can restore it, to do this you have to go to the main blade of the "Azure Key Vault" resources and click on "Manage deleted vaults":

 

hugo_sql_0-1671636770968.png

 

Select the subscription, then the "Azure Key Vault" you want to restore, and click on the button "Recover":

 

hugo_sql_3-1671637243532.png

 

The recovery process takes a few seconds:

 

hugo_sql_2-1671637159304.png

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

hugo_sql_1-1671638354007.png

And the TDE is working again:

hugo_sql_2-1671638503394.png

 

hugo_sql_3-1671638731347.png

 

hugo_sql_4-1671638804067.png

 

You can also restore the "Azure Key Vault" resource through PowerShell  and CLI:

 

[PowerShell]

 

 

Connect-AzAccount #List all soft-deleted key vaults Get-AzKeyVault -InRemovedState #Recover soft-deleted key-vault Undo-AzKeyVaultRemoval -VaultName myAKVtest -ResourceGroupName rgHCtest -Location westeurope

 

 

List all soft-deleted key vaults

Recover soft-deleted key-vault

 

[CLI]

 

 

List all soft-deleted key vaults az keyvault list-deleted --resource-type vault Recover soft-deleted key-vault az keyvault recover --location westeurope --name myAKVtest --resource-group rgHCtest

 

 

List all soft-deleted key vaults

Recover soft-deleted key-vault

 

If we deleted the key object or the Azure Key vault more than 30 minutes ago, the only way to revalidate the TDE is through the Azure Portal or Rest API.

 

I hope this step-by-step guide will be helpful.

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.