Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

I can't access my database! I deleted my "Azure Key Vault" / "key" and the TDE doesn't work.

Guest hugo_sql

By Guest hugo_sql
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest hugo_sql

Guest hugo_sql

Posted
Posted

If we have a Customer-managed TDE (Transparent Data Encryption) and we delete by mistake the entire "Azure Key Vault" or just the "Key" object, the database will be inaccessible:

 

 

783x228vv2.png.9864ce0433f41bc70a1d2ad7ed9e2dda.png

 

 

 

mediumvv2px400.png.a6eb190d1919e5d3f33a343f7f560303.png

 

Don't worry, this problem is solvable. Every "Azure Key Vault" or its "keys"/"secrets"/"certificates" objects have the "soft-delete" feature enabled, so if you delete any of these elements, Azure keeps a backup copy of them for 90 days:

 

 

 

Azure Key Vault soft-delete | Microsoft Learn

 

 

 

782x268vv2.png.f61c4a68a89916cb8a0048461cc6edb1.png

 

 

 

620x335vv2.png.42915bf8ef53c23bf179a9172d93a131.png

 

We need to recover the "Azure Key Vault" (AKV) or the Key object. We can follow these steps in the Azure Portal:

 

 

 

Case 1 - [ Deleted key object]

 

 

 

Go to the Azure Key Vault and select "Keys" objects and then click on "Manage deleted Keys":

 

 

 

494x309vv2.png.d1d68edfe394323b4a982df9ced56b0a.png

 

Select the "key" object that you want to recover and then click on "Recover":

 

 

 

794x377vv2.png.1f89d4f7363eddec53fe4022d6a07e3e.png

 

 

 

The recovery takes a few seconds:

 

 

 

mediumvv2px400.png.e55e0df6f3137facd38a4ef81ade5611.png

 

 

 

Once access to the key is restored, taking the database back online requires extra time and steps, which may vary based on the time elapsed without access to the key and the size of the data in the database. If key access is restored within 30 minutes, the database will autoheal within the next hour. If key access is restored after more than 30 minutes, autoheal isn't possible, and bringing back the database requires extra steps on the portal and can take a significant amount of time depending on the size of the database. Once the database is back online, previously configured server-level settings such as failover group configuration, point-in-time-restore history, and tags will be lost.

 

 

 

Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn

 

 

 

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

 

 

783x549vv2.png.976c474ea67131754c53a248a2d57098.png

 

 

 

783x520vv2.png.e29678847f84da983c8b6c37ddb6b258.png

 

 

 

And now the database is online again:

 

 

 

588x328vv2.png.239115759203a2d68976e85cd139547a.png

 

 

 

You can also restore the "key" object through PowerShell and CLI:

 

 

 

[PowerShell]

 

 

 

 

 

Connect-AzAccount

 

#List all deleted keys in a key vault

 

Get-AzKeyVaultKey -VaultName myAKVtest -InRemovedState

 

#To recover a soft-deleted key

 

Undo-AzKeyVaultKeyRemoval -VaultName myAKVtest -Name myTDEkey

 

 

 

 

 

List all deleted keys in a key vault

 

To recover a soft-deleted key

 

 

 

[CLI]

 

 

 

 

 

List all deleted keys in a key vault

az keyvault key list-deleted --vault-name myAKVtest

 

To recover a soft-deleted key

az keyvault key recover --vault-name myAKVtest --name myTDEkey

 

 

 

 

 

List all deleted keys in a key vault

 

To recover a soft-deleted key

 

 

 

Case 2 - [ Deleted Azure Key Vault ]

 

 

 

If you have deleted the whole "Azure Key Vault" you can restore it, to do this you have to go to the main blade of the "Azure Key Vault" resources and click on "Manage deleted vaults":

 

 

 

largevv2px999.png.f38cb7c3b5cc4f71e16309c364e45408.png

 

 

 

Select the subscription, then the "Azure Key Vault" you want to restore, and click on the button "Recover":

 

 

 

largevv2px999.png.07a1986980950ce1bee79f311ee0822a.png

 

 

 

The recovery process takes a few seconds:

 

 

 

mediumvv2px400.png.750b7c5af66fec36814b0bd9f169f7aa.png

 

If we restored the "Key" object after 30 minutes, we need to go to the "Transparent Data Encryption" blade from the Azure SQL Server, select the option "Retry existing key" and then click on "Revalidate key":

 

 

 

784x589vv2.png.01be55322a1264f8344601caa2012baa.png

 

And the TDE is working again:

 

 

821x498vv2.png.9b6057357daac90b91f6f6e4de5b857d.png

 

 

 

largevv2px999.png.2f645d810a4b0abfb52afad9765b6764.png

 

 

 

largevv2px999.png.41a5a066b8ced61cac03eb3d46295b82.png

 

 

 

You can also restore the "Azure Key Vault" resource through PowerShell and CLI:

 

 

 

[PowerShell]

 

 

 

 

 

Connect-AzAccount

 

#List all soft-deleted key vaults

Get-AzKeyVault -InRemovedState

 

#Recover soft-deleted key-vault

Undo-AzKeyVaultRemoval -VaultName myAKVtest -ResourceGroupName rgHCtest -Location westeurope

 

 

 

 

 

List all soft-deleted key vaults

 

Recover soft-deleted key-vault

 

 

 

[CLI]

 

 

 

 

 

List all soft-deleted key vaults

 

az keyvault list-deleted --resource-type vault

 

 

Recover soft-deleted key-vault

 

az keyvault recover --location westeurope --name myAKVtest --resource-group rgHCtest

 

 

 

 

 

List all soft-deleted key vaults

 

Recover soft-deleted key-vault

 

 

 

If we deleted the key object or the Azure Key vault more than 30 minutes ago, the only way to revalidate the TDE is through the Azure Portal or Rest API.

 

 

 

I hope this step-by-step guide will be helpful.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...