Venafi Recycle Bin

Sometimes users delete items that they shouldn't, or items they later regret deleting. The recycle bin allows a system administrator with the Master Admin role and/or the Recycle Bin Administrator role to undo the deletion of certain objects using Venafi Configuration Console or the Venafi MMC snap-in.

For more information about the Recycle Bin Administrator role's capabilities and limitations, see Understanding system roles.

The recycle bin allows you to safely automatically cleanup old archived machine identities, knowing that you can quickly restore them if needed (within a specified time period).

The recycle bin allows you meet your specific business requirements, such as the following:

Automatically remove certificate data (or historical certificate data) from secret store that expired X years ago.
Exclude certain information from being deleted.
Review logs for deleted identities for auditing purposes.
Restore a deleted machine identity when a server owner calls in a panic saying they deleted it by accident.

Please note that you can use TppTool to perform many recycle bin actions from the command line and script files. See Using TppTool from the command line and script files.

Scope

IMPORTANT Not everything that is deleted in Venafi Platform can be restored from the recycle bin. For example, while certificates, policies, and credentials are generally recoverable, some objects cannot be restored. This feature is not a global "undo." It does, however, allow you to restore the most critical objects in the case of accidental deletion by the clean up process, or by a user.

The following objects ARE generally recoverable (see exceptions, below).

Policy settings, certificates, and provision settings such as credentials, and Application objects.
Logging channels and notifications.
SecretStore Vault owner and entry information.
Devices.

WARNING! Any SSH keys that are associated with the device are not currently recoverable. Deletion of a device removes all SSH keys from SSH Protect's inventory, but this does not deprovision the keys from the device. So the keys will still be able to connect to that device. For additional information see How SSH Protect uses the recycle bin.
SSH certificate issuance templates.
SSH certificate issuance flows.
Adaptable actions for SSH certificate issuance flows.
SSH CA keypairs.

The following items are NOT recoverable:

Agent/Client Registrations within the Client Subsystem.
API Integration registrations within the OAuth Subsystem.
Preference changes or deletions.
Attributes on specific objects (Recycle Bin covers deletion of the object itself, not the deletion or changing of configuration options on the object).
Permission assignment, Workflow ticket, or Flow ticket deletions.
Device information. Any SSH Keysets, key instances, and trust information that is not stored in the Recycle Bin is deleted immediately.
SSH keys. SSH Protect documentation provides details on how the recycle bin treats SSH assets.

NOTE Deletion of SSH keys from the inventory does two things: First it removes the keyset from SSH Protect's inventory, and second it deprovisions the keys on the connected devices. This means the public key is removed from the authorized_keys file on all connected devices. The keyset will no longer be able to connect to that device.

Restoration Availability

Each entry in the recycle bin has an icon that tells you the availability of an entry to be restored. The last column of the table where the item will be restored to.

Icon	Description	Details
	Green check mark indicates the item can be restored to its original location	To restore this item, click the Restore action.
	Yellow warning icon indicates the item's parent is also deleted so it can't be restored.	To restore this item, restore it to its parent, then restore its parent.
	Red circle with line indicates the item cannot be restored as is.	For details on why this can't be restored, click Properties.

EXAMPLE The following graphic shows two items in the recycle bin. BugTest is a parent item that contained Sub, but they were deleted in different actions. Sub item has a yellow warning icon, indicating that it can't be restored directly to is original location. (Note how in the last column it shows that the item will restore to the \Bin\).

If you want to restore Sub you have two options:

Click Restore for the Sub entry. It will be restored to the BugTest item still in the recycle bin (note you can see this in the last column)
Click Restore for the BugTest entry. It will be restored to its original location in \Policy\. The Sub item will now have a green check mark because it can be restored to its parent in \Policy\BugTest.

For details on any entry, click the Properties action which will provide detailed information about the entry's restore state. There you can see extensive information about the entry including:

The entry's original location.
Restoration information, including how and where an item will be restored.
A detailed explanation of why a given item cannot be restored.
Information about who deleted the item and when.
Information about when the item will automatically be purged if no action is taken.

If you click Retrieve Details before you click Properties, you can see even more information including:

Number of associated vault (Secret Store) entries
The types and counts of items of those types in Secret Store.

Other icons

When you Retrieve details of an entry, the associations are shown in an expandable sub-list. These items have one of two icons, as outlined in the following table.

Icon	Description
	The branch icon indicates the linked item is not stored in the Secret Store vault.
	The key icon indicates the linked item is stored in the Secret Store vault.

Restoration exceptions and potential resolutions

There are a number of reasons why you might not be able to restore an item in the recycle bin. Here are some of the more common scenarios:

Case	Resolution Options
A child item is deleted in one step. Later the child's parent is deleted in a different step.	Click "Restore" on the child item and the association with the parent is restored, however, they are both still in the recycle bin. If you restore the parent item at this point, both the parent and the associated child item will be restored. Restore the parent item. The child item can then be restored to its original parent. (In this case, not that after the parent item is restored, the child item's icon changes to a green check mark.) Purge the parent item so it is no longer in the recycle bin. Then create a new parent item in the same location with the same name. If you click Restore on the child item at this point, the child will be restored to the new parent you created.
A child item gets deleted. Later the child's parent is renamed.	If you restore the child item, Venafi Platform will attempt to restore the item to the renamed parent item, if the renamed parent still exists.

Case

Resolution Options

A child item is deleted in one step. Later the child's parent is deleted in a different step.

Click "Restore" on the child item and the association with the parent is restored, however, they are both still in the recycle bin. If you restore the parent item at this point, both the parent and the associated child item will be restored.
Restore the parent item. The child item can then be restored to its original parent. (In this case, not that after the parent item is restored, the child item's icon changes to a green check mark.)
Purge the parent item so it is no longer in the recycle bin. Then create a new parent item in the same location with the same name. If you click Restore on the child item at this point, the child will be restored to the new parent you created.

A child item gets deleted. Later the child's parent is renamed.

If you restore the child item, Venafi Platform will attempt to restore the item to the renamed parent item, if the renamed parent still exists.

Accessing the recycle bin

The recycle bin interface can be accessed in three ways:

By connecting to the Venafi Platform server and opening Venafi Configuration Console (VCC). The Recycle Bin node is in the left panel.
By adding the MMC snap-in, and assigning both the application entitlement, as well as assigning the user master admin permissions.
By connecting to the Venafi Platform server and using the command line. For more information, see .

Recycle Bin event logging

Detailed information about all recycle bin events can be seen in the Venafi Event Viewer. This tool is available in Venafi Configuration Console, or as an MMC snap-in. For details on the Event Viewer, see Venafi Event Viewer overview.

In the Venafi Event Viewer you can use the filter function to only see Recycle Bin events, or even specific types of Recycle Bin events. You can save these as a custom view to refer back to them easily. To learn how to create custom views, see Custom Views

What's next?

If you are looking for general information about the recycle bin interface, see Recycle Bin's interface.

If you are trying to restore an item that was deleted, see Recycle Bin's actions panel

If you are wanting to learn more about a specific recycle bin item, see Recycle Bin's details panel.