Deleting a Vault Key
Delete a master encryption key from a vault in OCI Vault service.
- Note
When a key is in the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible, including secrets. The key also cannot be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore the use of a key before it is permanently deleted, you can cancel its deletion. - Caution
When you set a key to the Pending Deletion state, anything encrypted by that key immediately becomes inaccessible. This includes secrets. The key also cannot be assigned or unassigned to any resources or otherwise updated. When the key is deleted, all key material and metadata is irreversibly destroyed. Before you delete a key, either assign a new key to resources currently encrypted by the key or preserve your data another way. If you want to restore use of a key before it is permanently deleted, you can cancel its deletion.Open a command prompt and run
oci kms management key schedule-deletion
to schedule a key's deletion:oci kms management key schedule-deletion --key-id <target_key_id> --endpoint <control_plane_url>
For example:
oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com
By default, the service schedules keys for deletion 30 days from the current date and time. You can set a range between 7 days and 30 days. For example:
oci kms management key schedule-deletion --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --time-of-deletion 2019-06-30T10:00:00Z --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com
For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.
Run the ScheduleKeyDeletion operation to delete the vault key using the KMSMANAGMENT endpoint.
Note
Each region uses the KMSMANAGMENT endpoint for managing keys. This endpoint is referred to as the control plane URL or vault management endpoint. For regional endpoints, see the API Documentation.For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.