Problem Description
Azure backup operations are failing. The Druva console reports authentication or encryption/decryption errors because the associated Azure Key Vault—which stores the critical encryption keys required for the backup process—has been deleted.
Cause
The Azure Key Vault was removed from the Azure environment, preventing the Druva backup service from accessing the cryptographic keys. This typically occurs due to:
Accidental manual deletion.
Automated Resource Group cleanup activities.
Scripted deployments targeting seemingly "unused" resources.
Resolution
STEP 1: Recover the Soft-Deleted Key Vault (Recommended)
By default, Azure enables soft-delete on Key Vaults, retaining deleted vaults for 90 days. If the vault was deleted recently, follow these steps to restore it without data loss.
1. Access Deleted Vaults
Log in to the Azure Portal with Key Vault Contributor, Owner, or Global Administrator permissions.
Search for and select Key Vaults in the top search bar.
On the main Key Vaults menu, click Manage deleted vaults from the top command bar.
2. Restore the Vault
Set the Properties filter to "Deleted vaults".
Locate the specific Key Vault used by Druva in the list.
Select the vault and click Recover.
3. Fix Access Policies & Sync
⚠️ Note: Recovered vaults often lose their active access permissions upon restoration.
Navigate to the recovered Key Vault.
Go to Access configuration (or Access policies / Azure RBAC depending on your vault setup).
Ensure the Druva Service Principal is granted the following cryptographic permissions: Get, List, Unwrap Key, and Wrap Key.
Log into the Druva Cloud Console, navigate to your Azure Cloud Settings, and trigger a Sync to refresh the connection.
Manually trigger a backup job to verify success.
STEP 2: Re-onboard the Azure Subscription (Fallback Only)
If the Key Vault is not found in the "Manage Deleted Vaults" section, it has either been permanently purged or the 90-day retention period has expired. You must re-establish the cloud connection.
🛑 CRITICAL WARNING: Deleting the Azure Subscription from the Druva Console will permanently delete all existing backup history and data for this subscription from the Druva Cloud. Proceed only if Key Vault recovery is impossible and you are authorized to start a completely new backup chain.
Re-onboarding Process:
Remove Subscription: In the Druva console, navigate to your Azure settings and delete the affected Azure Subscription.
Re-Add Subscription: Click Add Subscription to launch the onboarding workflow.
Configure Encryption Settings: When prompted for Azure Key Vault settings, input new parameters to replace the destroyed vault:
New Security Key Vault Name: Enter a unique, compliant name (do not reuse the deleted vault name).
New Resource Group Name: Specify a new or existing Resource Group to house the vault.
Authorize Deployment: Check the authorization box allowing Druva to automatically provision the new Key Vault and generate new encryption keys.
Synchronize: Wait 5–10 minutes for Azure and Druva to complete the resource deployment handshake before attempting to schedule or run a new backup.
Verification
Once either Step 1 or Step 2 is complete, navigate to the Druva Jobs tab and run an ad-hoc backup. Ensure the status transitions to Success and no further credential or encryption errors are logged.