Key Vault replication & backup/restore secret update
TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.
According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.
However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would be able to take more control of this process.
This can be made possible by being able to backup and restore secrets on a more continuous basis to another Key Vault which resides in the pair region. It is currently impossible to overwrite an already existing secret with a backup file if it already exists by name even though the backup has a newer version of the secret than the one already residing in the target Key Vault.
1. TDE for SQL Databases can be enabled with an Azure Key Vault Key only when customers choose BYOK option.
2. Azure key vault is highly available between region pairs with automatic failover. But the failover could take up to 20 min as per the azure documentation.
3. In order, to overcome this we are trying to configure a secondary key vault in a different region.
4. But this doesn’t work if we are not able to copy all versions of the key to the secondary region.
Alex Csontos commented
Yes, please allow the restore on top of an existing entry.