IBM Cloud Docs
Deleting managed keys

Deleting managed keys

You can delete your managed keys in Unified Key Orchestrator with the UI, or programmatically with the Unified Key Orchestrator API.

When you delete a managed key, the key is to be deleted and unlinked from all keystores, and all key materials and the metadata are destroyed permanently.

Deleting managed keys with the UI

To delete a key in Active state, you need to first deactivate the key, and then destroy the key and remove it from the vault.

To delete a key in Pre-active or Deactivated state, you only need to destroy the key, and then remove it from the vault.

For more information about key states and transitions, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.

Follow these steps to complete the process:

  1. Log in to the Hyper Protect Crypto Services instance.

  2. Click Managed keys from the navigation to view all the available keys.

  3. If the managed key that you want to delete is in Active state, click the Actions icon Actions icon and choose Deactivated to deactivate the key first.

    When you change the Active key to Deactivated state, the key and all it versions are deleted and unlinked from all the keystores, and not accessible to all associated resources and their data. Make sure that you open the confirmation tile to check all the associated resources before you continue. However, you can still reactivate the key so that it is accessible to the resources again.

  4. To destroy a Pre-active or Deactivated key, click the Actions icon Actions icon and choose Destroyed.

  5. Click Destroy key to confirm. The key will first be pending destruction and then destroyed after the pending period ends.

    After you move a key from Deactivated to Destroyed state, the key will first be pending on destruction for a time period defined by the destruction policies of the external cloud providers. You cannot cancel pending destruction using the Unified Key Orchestrator UI or API. However, you can still do so through the third-party keystores that the keys are created in.

    For any pending destruction keys, a pending flag is displayed in the corresponding key card or the key list. When you hover over the pending flag, you can see the date which it will end the pending state. Refer to the following table for detailed destruction policies of keystores.

    Table 1. Key destruction policies
    Keystore type Key pending destruction policy Pending period customizable on the external cloud provider side? (Yes/No)
    AWS keystore 7 days No
    Azure Key Vault 90 days Yes
    Google Cloud KMS keystore 30 days Yes
    IBM Cloud KMS keystore 30 days No
    Key Protect 30 days No

    When the pending-destruction period ends, the key will be automatically moved to Destroyed state and can no longer be restored. For keys stored in IBM Cloud KMS keystores, the keys will become purged automatically in 60 days after the pending-destruction period ends.

  6. After the pending-destruction period ends, you can delete the key and metadata from the vault by clicking the Actions icon Actions icon and choose Remove from vault.

    This action proactively deletes the managed key. After a key is removed from vault, the associated key metadata is removed permanently.

The managed key has been deleted and unlinked from all keystores. All key materials and metadata have been purged.

Deleting managed keys with the API

To delete a managed key through the API, follow these steps:

  1. Retrieve your service and authentication credentials to work with keys in the service.

  2. Delete a managed key by making a DELETE call to the following endpoint.

    https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/managed_keys/<id>
    
    

    Replace <id> with the ID of your managed key.

    For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

What's next