Soft delete for Azure Backup
In this, we will learn about soft delete for azure backup which concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security concerns may be costly, both financially and in terms of data. To safeguard against such assaults, Azure Backup now includes security capabilities that assist backup data be protected even after it has been deleted.
One such feature is soft delete. Using this, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the “soft delete” state don’t incur any cost to you.
Enabling and disabling soft delete
- Firstly, Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes. Disabling this feature isn’t recommended. The only circumstance where you should consider disabling soft delete is if you’re planning on moving your protected items to a new vault. And, can’t wait the 14 days required before deleting and reprotecting (such as in a test environment.)
- Secondly, only the vault owner can disable this feature. So, if you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days.
- Lastly, it’s important to remember that once soft delete is disabled, the feature is disabled for all the types of workloads.
Disabling soft delete using Azure portal
To disable, follow these steps:
- Firstly, in the Azure portal, go to your vault, and then go to Settings -> Properties.
- Secondly, in the properties pane, select Security Settings -> Update.
- Lastly, in the security settings pane, under Soft Delete, select Disable.
Disabling soft delete using Azure PowerShell
To disable, use the Set-AzRecoveryServicesVaultBackupProperty PowerShell cmdlet.
PowerShell
Set-AzRecoveryServicesVaultProperty -VaultId $myVaultID -SoftDeleteFeatureState Disable
StorageModelType :
StorageType :
StorageTypeState :
EnhancedSecurityState : Enabled
SoftDeleteFeatureState : Disabled
Permanently deleting soft deleted backup items
Backup data in soft deleted state prior disabling this feature, will remain in soft deleted state. If you wish to permanently delete these immediately, then undelete and delete them again to permanently delete them.
Using Azure portal
Follow these steps:
- Firstly, in the Azure portal, go to your vault, go to Backup Items, and choose the soft deleted item.
- Secondly, select the option Undelete.
- Then, a window will appear. Select Undelete.
- After that, choose Delete backup data to permanently delete the backup data.
- Next, type the name of the backup item to confirm that you want to delete the recovery points.
- Lastly, to delete the backup data for the item, select Delete. A notification message lets you know about the deletion of backup data.
Reference: Microsoft Documentation