After you import key material into an external customer master key (CMK), you can independently remove the key material. In this case, the external CMK can no longer be used, and the ciphertext encrypted by using the external CMK cannot be decrypted. This topic describes how to remove key material.

Prerequisites

Key material is imported. For more information, see Import key material.

Background information

After you import key material into an external CMK, you can use the external CMK in the same way as a regular CMK. The only difference lies in that the key material of an external CMK may expire and can be independently removed. After the key material of an external CMK expires or is removed, the external CMK can no longer be used, and the ciphertext encrypted by using the external CMK cannot be decrypted. After you remove the imported key material, you can re-import the same key material to make the relevant CMK available again. Therefore, we recommend that you save a copy of the key material.

Remove key material in the KMS console

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to remove key material.
  3. In the left-side navigation pane, click Keys.
  4. Find the CMK from which you want to remove key material and click its alias in the Key column to go to the CMK management page.
  5. In the Key Material section, click Delete Key Material.
  6. In the Delete Key Material message, click OK.
    After the key material is removed, the status of the CMK changes from Enabled to Pending Import.

Remove key material by using Alibaba Cloud CLI

Run the aliyun kms DeleteKeyMaterial command to call the DeleteKeyMaterial operation to remove key material.

aliyun kms DeleteKeyMaterial --KeyId 1339cb7d-54d3-47e0-b595-c7d3dba8****