IBM Cloud Docs
Why can't I delete keys?

Why can't I delete keys?

When you use the UI, you're unable to delete a key.

From the IBM Cloud dashboard, you select your instance of the Hyper Protect Crypto Services service.

You're assigned a Manager access policy for the service instance. You try to delete a key, but the action fails with either of the following error messages:

  • Error message 1:

    The service was not able to delete key "<key_name>". The key cannot be deleted because it is protecting one or more cloud resources that have a retention policy.

  • Error message 2:

    The service was not able to delete key "<key_name>". Because the key is enabled with the dual authorization policy and you set the key for deletion, a second approver needs to continue with the key deletion operation.

The following reasons might cause the errors:

  • If error message 1 is displayed, this key is actively protecting one or more cloud resources, such as a Cloud Object Storage bucket.

  • If error message 2 is displayed, this key is enabled with the dual authorization policy that requires a deletion authorization from two users. You set the key for deletion and you need to contact the second approver to complete the deletion.

The following instructions can help you solve the problems:

  • To resolve the error that is reported in error message 1, review the resources that are associated with the key before you delete a key.

    You can force deletion on a key that's protecting a cloud resource. However, the action won't succeed if the key's associated resource is nonerasable due to a retention policy. You can verify whether a key is associated with a nonerasable resource by checking the registration details for the key. Then, you must contact an account owner to remove the retention policy on each resource that is associated with the key before you can delete the key.

    If you don't need the resources that are associated with the key any more, you can also first delete the associated resources and then delete the key.

  • To resolve the error that is reported in error message 2, you need to assign two approvers to delete a key if you enable the dual authorization policy for your instance or for a key.

    The first approver must have a Writer or Manager role to first schedule the key deletion and the second approver must have a Manager role to complete the deletion within 7 days. For more information, see Deleting keys by using dual authorization.