Share via

Encryption key missing from Key Vault

Mark Hancock 20 Reputation points
2026-03-05T14:38:52.1566667+00:00

1 server has the Encryption key missing from Key Vault, it is not in the deleted area and that area has a policy set to not allow purge, we only noticed when we rebooted the server, we can't find any logs as to who may have done it.

We do not have a backup of this particular key.

Apparently Microsoft can restore it, is this true

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

0 comments
Answer accepted by question author
  1. VEMULA SRISAI 9,430 Reputation points Microsoft External Staff Moderator
    2026-03-05T16:02:54.1866667+00:00

    Hello Mark Hancock,

    Based on how Azure Key Vault works, Microsoft cannot restore a missing encryption key if it is not present under Deleted keys and no backup exists.

    Key recovery is only supported in these scenarios:

    • Soft Delete was enabled at the time of deletion – the key would appear under Deleted keys and can be recovered within the retention period (7–90 days, default 90).
    • A manual backup of the key exists, which can then be restored.

    Purge protection does not help if the key never entered the deleted state. It only prevents permanent deletion of keys that are already soft‑deleted.

    If Soft Delete was disabled when the key was removed and there is no backup, the key is permanently lost, and even Microsoft support has no backend mechanism to restore it. The only remediation is to create a new key and reconfigure the dependent resource (for example, re‑encrypting or redeploying the VM/disk).

    Regarding audit logs, Key Vault deletion events are only available if diagnostic logging was enabled before the deletion. If logging was not configured, there will be no record of who deleted the key.

    https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal

    https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Hancock 20 Reputation points
    2026-03-06T09:27:18.8333333+00:00

    Thanks for your help

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.