This topic provides answers to some frequently asked questions about key management.
Questions
Can I delete a key from KMS?
You can delete keys from Key Management Service (KMS) but you cannot delete service keys. KMS allows you only to schedule the deletion of a key.
You can specify a scheduled deletion period of 7 to 366 days. During the scheduled deletion period, you can verify the impact of deleting a key on your applications and users that depend on the key. You cannot use the key during the scheduled deletion period. If you want to reuse the key, you can cancel the deletion before the scheduled deletion period elapses. When the scheduled deletion period elapses, KMS deletes the key. You cannot restore the key after it is deleted. For more information about how to schedule the deletion of a key, see Schedule key deletion.
If you want to delete a key, we recommend that you disable the key and verify that no data needs to be decrypted by using the key. Then, you can schedule the deletion of the key. For more information, see Disable a key.
After a key is deleted, can I decrypt the data that is encrypted by using the key and the data key that is generated by using the key?
No, you cannot decrypt the data that is encrypted by using the key or the data key that is generated by using the key.
KMS allows you only to schedule the deletion of a key. When the scheduled deletion period that you specified elapses, the key is deleted and cannot be restored. During the scheduled deletion period, you can cancel the deletion.
If you delete a key that uses imported key material, you cannot use a new key to decrypt the data that is encrypted by using the deleted key regardless of whether the new key uses the same imported key material as the deleted key.
If you delete only the imported key material of a key without deleting the key, you can reimport the same key material into the key to make the key available. Data that is encrypted by using the key can still be decrypted.
If you want to delete a key, we recommend that you disable the key and verify that no data needs to be decrypted by using the key. Then, you can schedule the deletion of the key.
How does KMS ensure the security of keys?
KMS uses reliable algorithms to encrypt software-protected keys and then stores software-protected keys in your exclusive key store.
KMS stores hardware-protected keys in your exclusive hardware security module (HSM) cluster. You can use the HSM cluster to implement cryptographic operations. You must purchase Cloud Hardware Security Module to configure an HSM cluster.
Can I import key material into a key?
Yes, you can import key material into a key.
When you create a key, you can use the key material that is generated by KMS or use external key material. If you use external key material to create a key, you must import the key material into the key. For more information, see Import key material into a symmetric key and Import key material into an asymmetric key.
What do I do if a key is unavailable or if Rejected.Unavailable is returned when I call a key-related API operation?
The KMS instance to which the key belongs has expired.
Renew the KMS instance within 15 calendar days after expiration. Otherwise, the KMS instance is released. For more information, see Renewal.
If you do not need the KMS instance now but may require the keys or secrets in the instance later, we recommend that you back up the instance. For more information, see Backups.