Deleting service instances

You can delete your IBM Cloud® Hyper Protect Crypto Services instance with the UI or the IBM Cloud CLI. To do so, you need to set all the crypto unitsA single unit that represents a hardware security module and the corresponding software stack that is dedicated to the hardware security module for cryptography. of the service instance back to the imprint modeAn operational mode in which crypto units are assigned to a user. by zeroizing the crypto units.

Before you begin

Follow these instructions to set the environment variable CLOUDTKEFILES on your workstation to specify the directory where you saved the master key part files and signature key files you created when you initialized your service instance.
Log in to IBM Cloud also by following these instructions.

Step 1: Delete keys

To delete keys in the service instance, you need to delete root keys with the standard plan and managed keys with the Unified Key Orchestrator plan through the UI or the CLI.

Deleting root keys from the UI - Standard plan

You can delete root keys of Hyper Protect Crypto Services from the UI resources page by completing the following steps:

Log in to the UI.
Go to Menu > Resource list to view a list of your resources.
From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services.
On the KMS keys page, use the Keys table to browse the keys in your service.
Select the key that you want to delete and click the Actions icon to open a list of options for the key.
From the options menu, click Delete key, enter the key name to confirm the key to be deleted, and click Delete key.

Deleting managed keys from the UI - Unified Key Orchestrator plan

You can delete managed keys of Hyper Protect Crypto Services Unified Key Orchestrator from the UI resources page by completing the following steps:

Log in to the Hyper Protect Crypto Services instance.
Click Managed keys from the navigation to view all the available keys.
If the managed key that you want to delete is in Active state, click the Actions icon and choose Deactivated to deactivate the key first.
To destroy a Pre-active or Deactivated key, click the Actions icon and choose Destroyed.
Click Destroy key to confirm.
To remove the key and the metadata from the vault, click the Actions icon and choose Remove from vault.

Deleting roots keys from the IBM Cloud CLI - Standard plan

You can delete root keys of Hyper Protect Crypto Services from the IBM Cloud CLI by running the following command:

ibmcloud kp key delete KEY_ID_OR_ALIAS
        -i, --instance-id INSTANCE_ID
    [--key-ring          KEY_RING_ID]
    [-f, --force]
    [-o, --output      OUTPUT]

Key_ID_OR_ALIAS is the v4 UUID or alias of the key that you want to delete.
-i, --instance-id is your service instance ID.
For more information about optional parameters, see Key Protect CLI Reference.

Deleting managed keys from the IBM Cloud CLI - Unified Key Orchestrator plan

You can delete managed keys of Hyper Protect Crypto Services from the IBM Cloud CLI by running the following command:

ibmcloud hpcs uko managed-key-delete --id ID --uko-vault UKO-VAULT --if-match IF-MATCH

ID is the UUID of the key, which you can use the ibmcloud hpcs uko managed-keys command to retrieve the key UUID.
UKO-VAULT is the UUID of the vault, which you can use the ibmcloud hpcs uko vaults command to retrieve the vault UUID.
IF-MATCH is value of the ETag from the header on a GET request, which you can use the ibmcloud hpcs uko managed-key command to retrieve the ETag.

Step 2: Select the crypto units to be deleted

To select the administrators to sign TKE commands, use the following command:
```
ibmcloud tke sigkey-sel
```
A list of signature keys that are found on the workstation is displayed. When prompted, enter the key numbers of the signature key files to select for signing future administrative commands. When prompted, enter the passwords for the signature key files.
To list the numbers of crypto units in the target resource group under the current user account, run the following command:
```
ibmcloud tke cryptounits
```
Check whether the crypto units that you want to zeroize are marked as true. If not, add the crypto units by running the following command:
```
ibmcloud tke cryptounit-add
```
A list of the crypto units in the target resource group under the current user account is displayed. When prompted, enter crypto unit numbers to be zeroized to the selected crypto unit list.

Step 3: Zeroize crypto units

If you initialize your service instance and load the master keyAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key. to the service instance, you need to set the crypto units back to imprint mode with the following steps:

Clear all crypto unit administrators and the master key registers with one of the following options:
- If you initialize your service instance through IBM Cloud Trusted Key Entry (TKE) command-line interface (CLI) plug-in, run the following command to zeroize the crypto units in the TKE CLI plug-in:
```
ibmcloud tke cryptounit-zeroize
```
- If you initialize your service instance through the Management Utilities, in the user interface of the TKE application, select Imprint mode > Zeroize crypto unit.
To zeroize the crypto units, enter the password for the administrator signature key to be used when prompted. Make sure that your signature key files are properly saved either on your workstation or on your smart cards. Otherwise, you are not able to perform this action.

After you zeroize the crypto unit, the administrator signature keysAn encryption key that is used by the crypto unit administrator to sign commands that are issued to the crypto unit. and the master key are cleared from the crypto unit, which means you are not able to access keys that are protected by the master key. Any resources that are associated with the root keys cannot be accessed. However, you might still be charged for the resources, such as the Immutable Object Storage, as long as the policy is enforced.

Step 4: Optional - Uninstall the Hyper Protect Crypto Services utilities

Before you delete the service instance, you might want to uninstall the utilities that are associated with Hyper Protect Crypto Services first.

Uninstall the TKE CLI plug-in

If you initialize your service instance by loading master key parts from your workstation, uninstall the TKE CLI plug-in with the following command:

ibmcloud plugin uninstall tke

If you want to uninstall the entire IBM Cloud CLI, see Uninstalling the stand-alone IBM Cloud CLI.

Uninstall the Management Utilities

If you initialize your service instance by loading master key parts from smart cards, follow these steps to uninstall the Hyper Protect Crypto Services Management Utilities.

Linux operating system
1. From the command line, enter the directory where the Management Utilities are installed with the following command:
```
cd <management_utilities_directory>
```
2. Enter the _installation subdirectory with the following command:
```
cd _installation
```
3. To uninstall the Management Utilities, run the following command:
```
./uninstall
```

Step 5: Delete your service instance

After you set the crypto units to imprint mode, you can choose to delete your service instance through the UI resources page, the instance details page, or the CLI.

Deleting instances from the UI resources page

You can delete an instance of Hyper Protect Crypto Services from the UI resources page by completing the following steps:

From the UI, click Resource list from the navigation.
Find the Hyper Protect Crypto Services service instance that you want to delete under the Services section.
Click the Actions icon to open the actions menu.
Click Delete.

Deleting instances from the UI instance details page

You can delete an instance of Hyper Protect Crypto Services from the UI instance details page by completing the following steps:

From the UI, click Resource list from the navigation.
Find the Hyper Protect Crypto Services service instance that you want to delete under the Services section and click the instance name to open the instance details page.
Click the Actions icon to open the service instance actions menu.
Click Delete service.

Deleting instances from the IBM Cloud CLI

You can delete an instance of Hyper Protect Crypto Services from the IBM Cloud CLI by running the following command:

ibmcloud resource service-instance-delete <instance_name|instance_ID>

Replace instance_name with your instance name and instance_ID with your service instance ID. You can use either the instance name or the service instance ID to run the command.