![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 14.000000000000002%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @sonisick,
Please note that if you have you created a Managed HSM Azure Key Vault with a purge protection enabled for certain time period(anywhere between 7 to 90 days), it remains in a soft-deleted state and cannot be permanently deleted until the retention period expires. During this time, you will continue to be billed for the Managed HSM Azure Key Vault. Once the retention period ends, the Managed HSM will be automatically purged.
Please refer to the below Screenshot for your reference where we can see the Purge protection has been enabled by going to Key vaults -> Select the Key vault which you have created -> Under Settings select Properties ->Under Purge protection you can see this below option to enable purge protection.
Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects)
The Managed HSM soft-delete feature allows recovery of deleted HSMs and keys. Specifically, this feature provides the following safeguards:
- After an HSM or key is deleted, it remains recoverable for a configurable period of 7 to 90 calendar days. You can set the retention period when you create an HSM. If you don't specify a value, the default retention period of 90 days will be used. This period gives users enough time to notice an accidental key or HSM deletion and respond.
- To permanently delete a key, users need to take two actions. First, they must delete the key, which puts it into the soft-deleted state. Second, they must purge the key in the soft-deleted state. The purge operation requires the Managed HSM Crypto Officer role. These extra safeguards reduce the risk of a user accidentally or maliciously deleting a key or an HSM.
Soft-delete behavior
Soft-delete can't be turned off for Managed HSM resources.
Resources marked as deleted are kept for a specified period. There's also a mechanism for recovering deleted HSMs or keys, so you can undo deletions.
The default retention period is 90 days. When you create an HSM resource, you can set the retention policy interval to a value from 7 to 90 days. The purge protection retention policy uses the same interval. After you set the retention policy, you can't change it.
You can't reuse the name of an HSM resource that's been soft-deleted until the retention period ends and the HSM resource is purged (permanently deleted).
Purge protection
Purge protection is an optional behavior. It's not enabled by default. You can turn it on by using the Azure CLI or PowerShell.
When purge protection is on, an HSM or key in the deleted state can't be purged until the retention period ends. Soft-deleted HSMs and keys can still be recovered, which ensures the retention policy will be in effect.
The default retention period is 90 days. You can set the retention policy interval to a value from 7 to 90 days when you create an HSM. The retention policy interval can be set only when you create an HSM. It can't be changed later.
Billing implications
Managed HSM is a single-tenant service. When you create a managed HSM, the service reserves underlying resources allocated to your HSM. These resources remain allocated even when the HSM is in a deleted state. You'll be billed for the HSM while it's in a deleted state.
Managed HSMs (CLI)
- To check the status of soft-delete and purge protection for a managed HSM:
- az keyvault show --subscription {SUBSCRIPTION ID} -g {RESOURCE GROUP} --hsm-name {HSM NAME}
- To purge a soft-deleted HSM:
- az keyvault purge --subscription {SUBSCRIPTION ID} --hsm-name {HSM NAME} --location {LOCATION}
- This operation will permanently delete your HSM.
Reference documents which will be helpful:
Azure Key Vault Managed HSM soft-delete | Microsoft Learn
Azure Key Vault recovery overview | Microsoft Learn
Azure Key Vault Managed HSM recovery overview | Microsoft Learn
Once you have permanently deleted the Managed HSM Keyvaults, it will stop billing.
You can confirm that by going to Key vaults ->Manage deleted vaults and see if the deleted keyvault named StephansTopSecret is showing under key vaults list as mentioned in the below Screenshot.
Please note that if you are seeing as same as shown in the above screenshot, then the billing will be stopped.
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 42%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)