Deleting a Key

Learn how to schedule the deletion of a master encryption key stored in an OCI vault.

Important:

  • When a key is in the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible, including secrets. The key also can't be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. To restore the use of a key before it's permanently deleted, you can cancel its deletion. See Canceling a Master Encryption Key Deletion for more information.
  • When your key is scheduled for deletion, auto-rotation temporarily suspended but not disabled for keys with this feature enabled. If the key deletion is canceled and the key returns to the Active state, the auto rotation setting that the key had before the scheduled deletion is restored.
  • We recommend that you back up a key before you schedule it for deletion. With a backup, you can restore the key to the vault if you need to use the key later.
    1. On the Master Encryption Keys list page, find the key that you want to work with. If you need help finding the list page, see Listing Keys.
    2. From the Actions menu Actions Menu at the end of the row entry for the key, select Delete Key.
    3. On the Confirm page, enter the key name in the Name field to confirm.
    4. Use the Select deletion date and Time fields to schedule when you want the Vault service to delete the key. By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. When you schedule the key for deletion, we recommend you to back up the key because all key management operations.
    5. Select Delete Key.
  • Use the oci kms management key schedule-deletion command and required parameters to schedule the deletion of a key. By default, the deletion is schedule for 30 days from the time of the request. Use the optional --time-of-deletion parameter to schedule the deletion for a number of days between 7 and 30 from the time of the request. See the CLI Command Reference for more information:

    oci kms management key schedule-deletion --key-id <target_key_id> --endpoint <kmsmanagement_control_plane_URL>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the ScheduleKeyDeletion operation with the Management Endpoint to delete the vault key.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGEMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.