Oracle Cloud Infrastructure Documentation

Deleting Key References

Delete a key reference which is a non-recoverable action in OCI vault.

The delete operation for key references is a non-recoverable action. However, when you delete a key reference on KMS, this operation does not delete the actual key in the CCKM. OCI KMS does not allow immediate deletion of the key reference. The operation is in pending deletion state (minimum 7 days) to prevent accidental key reference deletion. Also, key reference deletion follows the same deletion pattern of an external key in CCKM.

  • This task can't be performed using the Console.

    1. Open the Oracle Cloud Console navigation menu and click Identity & Security. Under Key Management and Secret Management, click External Key Management.
    2. In the External key Management home page, select a vault from the summary table.
    3. In the Vault Details page, select a key reference.
    4. In the Key Reference Details page, click Delete.
      Note

      OCI KMS provides 7 days buffer time for you to delete a key reference. When you schedule a key reference for deletion, you can see it in transition state and all actions on the Key Reference Details page are disabled. However, deleting a key reference does not delete the external key
      .
    5. .

  • Open a command prompt and run oci kms management key schedule-deletion to delete a key reference:

    oci kms management key schedule-deletion –external-key-reference-id <target_key_id> --endpoint <control_plane_url>

    Avoid entering confidential information.

    For a complete list of flags and variable options for Vault CLI commands, see Command Line Reference.

  • Run the ScheduleKeyDeletion operation to delete a key reference.

    Note

    For information about using the API and signing requests, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.