Deleting managed keys

Deleting managed keys with the UI

To delete a key in Active state, you need to first deactivate the key, and then destroy the key and remove it from the vault.

To delete a key in Pre-active or Deactivated state, you only need to destroy the key, and then remove it from the vault.

For more information about key states and transitions, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.

Follow these steps to complete the process:

1. Log in to the Hyper Protect Crypto Services instance.

2. Click Managed keys from the navigation to view all the available keys.

3. If the managed key that you want to delete is in Active state, click the Actions icon and choose Deactivated to deactivate the key first.

   When you change the Active key to Deactivated state, the key and all it versions are deleted and unlinked from all the keystores, and not accessible to all associated resources and their data. Make sure that you open the confirmation tile to check all the associated resources before you continue. However, you can still reactivate the key so that it is accessible to the resources again.

4. To destroy a Pre-active or Deactivated key, click the Actions icon and choose Destroyed.

5. Click Destroy key to confirm. The key will first be pending destruction and then destroyed after the pending period ends.

   After you move a key from Deactivated to Destroyed state, the key will first be pending on destruction for a time period defined by the destruction policies of the external cloud providers. You cannot cancel pending destruction using the Unified Key Orchestrator UI or API. However, you can still do so through the third-party keystores that the keys are created in.

   For any pending destruction keys, a pending flag is displayed in the corresponding key card or the key list. When you hover over the pending flag, you can see the date which it will end the pending state. Refer to the following table for detailed destruction policies of keystores.

   Table 1. Key destruction policies

   Keystore type	Key pending destruction policy	Pending period customizable on the external cloud provider side? (Yes/No)
   AWS keystore	7 days	No
   Azure Key Vault	90 days	Yes
   Google Cloud KMS keystore	30 days	Yes
   IBM Cloud KMS keystore	30 days	No
   Key Protect	30 days	No

   When the pending-destruction period ends, the key will be automatically moved to Destroyed state and can no longer be restored. For keys stored in IBM Cloud KMS keystores, the keys will become purged automatically in 60 days after the pending-destruction period ends.

6. After the pending-destruction period ends, you can delete the key and metadata from the vault by clicking the Actions icon and choose Remove from vault.

   This action proactively deletes the managed key. After a key is removed from vault, the associated key metadata is removed permanently.

The managed key has been deleted and unlinked from all keystores. All key materials and metadata have been purged.

Deleting managed keys with the API

To delete a managed key through the API, follow these steps:

1. Retrieve your service and authentication credentials to work with keys in the service.

2. Delete a managed key by making a DELETE call to the following endpoint.

   https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/managed_keys/<id>
   
   

   Replace <id> with the ID of your managed key.

   For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.