Deleting a Vault Key

Learn how to schedule the deletion of a master encryption key from a an OCI vault.

• Console
• CLI
• API

• Note
  
  When a key is in the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible, including secrets. The key also can't be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore the use of a key before it is permanently deleted, you can cancel its deletion.

  1. Open the navigation menu , select Identity & Security, and then select Vault.
  2. Under List scope
  3. select a compartment that contains the master encryption key.
  4. On the Vaults page, select the name of the vault to open the details page.
  5. On the Vault Details page, select Master Encryption Key under Resources and select the name of key to open the details page.
  6. On the Key Details page, select Delete Keys.
  7. Confirm that you want to delete the key by typing the key name in the box.
  8. Schedule when you want the Vault service to delete the key. By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. When you schedule the key for deletion, we recommend you to back up the key because all key management operations.
     Note
     
     When your key is scheduled for deletion, the auto-rotation setting is temporarily suspended but not disabled. Once the key is set to Active state, the auto rotation setting again becomes enabled as it was at the time of key creation.
  9. Select Delete Key.
     Note
     
     If needed, you can restore use of the key and access to encrypted resources by selecting the Cancel Deletion button on the key details page.
• Caution
  
  When you set a key to the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible. This includes secrets. The key also cannot be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore use of a key before it is permanently deleted, you can cancel its deletion.

  Open a command prompt and run oci kms management key schedule-deletion to schedule a key's deletion:

  oci kms management key schedule-deletion --key-id <target_key_id> --endpoint <control_plane_url>

  For example:

  
  oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

  By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. For example:

  
  oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --time-of-deletion 2019-06-30T10:00:00Z --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

  For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

• Run the ScheduleKeyDeletion operation to delete the vault key using the Management Endpoint (KMSMANAGMENT).

  Note
  
  

  The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGMENT endpoint.

  The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

  You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

  For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

  For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.