Deleting a Vault Key

Delete a master encryption key from a vault in OCI Vault service.

  • Note

    When a key is in the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible, including secrets. The key also cannot be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore the use of a key before it is permanently deleted, you can cancel its deletion.
    1. Open the navigation menu, select Identity & Security, and then select Vault.
    2. Under List scope
    3. select a compartment that contains the master encryption key.
    4. On the Vaults page, click the name of the vault to open the details page.
    5. On the Vault Details page, click Master Encryption Key under Resources and click the name of key to open the details page.
    6. On the Key Details page, click Delete Keys.
    7. Confirm that you want to delete the key by typing the key name in the box.
    8. Schedule when you want the Vault service to delete the key. By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. When you schedule the key for deletion, we recommend you to back up the key because all key management operations.
      Note

      When your key is scheduled for deletion, the auto-rotation setting is temporarily suspended but not disabled. Once the key is set to Active state, the auto rotation setting again becomes enabled as it was at the time of key creation.
    9. Click Delete Key.
      Note

      If needed, you can restore use of the key and access to encrypted resources by clicking the Cancel Deletion button on the key details page.
  • Caution

    When you set a key to the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible. This includes secrets. The key also cannot be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore use of a key before it is permanently deleted, you can cancel its deletion.

    Open a command prompt and run oci kms management key schedule-deletion to schedule a key's deletion:

    oci kms management key schedule-deletion --key-id <target_key_id> --endpoint <control_plane_url>

    For example:

    
    oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

    By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. For example:

    
    oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --time-of-deletion 2019-06-30T10:00:00Z --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the ScheduleKeyDeletion operation to delete the vault key using the KMSMANAGMENT endpoint.

    Note

    Each region uses the KMSMANAGMENT endpoint for managing keys. This endpoint is referred to as the control plane URL or vault management endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.