Deleting managed keys

Deleting managed keys with the UI

To delete a key in Active state, you need to first deactivate the key, and then destroy the key and remove it from the vault.

To delete a key in Pre-active or Deactivated state, you only need to destroy the key, and then remove it from the vault.

For more information about key states and transitions, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.

Follow these steps to complete the process:

1. Log in to the Hyper Protect Crypto Services instance.

2. Click Managed keys from the navigation to view all the available keys.

3. If the managed key that you want to delete is in Active state, click the Actions icon and choose Deactivated to deactivate the key first.

   When you change the Active key to Deactivated state, the key is unlinked from all the keystores, and not accessible to all associated resources and their data. Make sure that you open the confirmation tile to check all the associated resources before you continue. However, you can still reactivate the key so that it is accessible to the resources again.

4. To destroy a Pre-active or Deactivated key, click the Actions icon and choose Destroyed.

5. Click Destroy key to confirm. The key will be pending destruction and then destroyed after the pending period ends.

   After the managed key is destroyed, you cannot restore the keys.

   For keys stored in IBM Cloud KMS keystores, the keys will become purged automatically after 90 days after they move to Destroyed state.

    After you move a key from Deactivated to Destroyed state, the key will first be pending on destruction for a time period defined by the destruction policies of the external cloud providers. You cannot cancel pending destruction using the Unified Key Orchestrator UI or API. However, you might still do so through the third-party keystores that the keys are created in. When the time period ends, the key will be moved to Destroyed state. For any pending destruction keys, a `pending` flag is displayed in the corresponding key card or the key list. When you hover over the `pending` flag, you can see the date which it will end the pending state. Refer to the following table for detailed destruction policies of keystores.
   
    | Keystore type       | Key pending destruction policy  |  Pending period customizable on the external cloud provider side? (Yes/No)|  
    |-------------|-----------------|-------------|
    | AWS keystore |        7 days       | No|  
    | Azure Key Vault      |        90 days      | Yes| 
    | Google Cloud KMS keystore|        30 days   | Yes| 
    | IBM Cloud KMS keystore |        30 days       | No|
    | Key Protect |        30 days      | No|
    {: caption="Table 1. Key destruction policies" caption-side="bottom"} 
   
    Note that for keys stored in IBM Cloud KMS keystores, the keys will become purged automatically after 60 days when they move to Destroyed state. 
   

6. To remove the key and the metadata from the vault, click the Actions icon and choose Remove from vault.

   When you remove the managed key from the vault that the key is assigned to, the remaining key metadata is removed permanently.

The managed key has been deleted and unlinked from all keystores. All key materials and metadata have been destroyed.

Deleting managed keys with the API

To delete a managed key through the API, follow these steps:

1. Retrieve your service and authentication credentials to work with keys in the service.

2. Delete a managed key by making a DELETE call to the following endpoint.

   https://uko.<region>.hs-crypto.cloud.ibm.com:<port>/api/v4/managed_keys/<id>
   

   Replace <id> with the ID of your managed key.

   For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.