After you create a key for a dedicated Key Management Service (KMS) instance, you can disable the key, enable deletion protection, or schedule key deletion based on your business requirements.

Disable a key

After you create a key, it is in the Enabled state by default. You can disable the key. A disabled key cannot be used for data encryption or decryption. A disabled key cannot also be used for digital signature generation or verification.

  1. Log on to the KMS Console.
  2. In the upper-left corner of the page, select the region where you want to purchase a dedicated KMS instance.
    For more information about the regions that support dedicated KMS, see Supported regions.
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the dedicated KMS instance that you want to manage and click Manage in the Actions column.
  5. In the Keys section, find the key that you want to disable and click Disable in the Actions column.
  6. In the Disable Key message, click OK.
    After the key is disabled, the status of the key changes from Enabled to Disabled. You can also click Enable to enable the key again.

Enable deletion protection

After you enable deletion protection for a key, the key cannot be deleted. This prevents the keys from being deleted by mistake.

Note You cannot enable deletion protection for the keys that are in the Pending Deletion state.
  1. In the Keys section, click the name of the key for which you want to enable deletion protection.
  2. In the Key Details section, click Enable Deletion Protection.
  3. In the Enable message, click OK.
    After deletion protection is enabled, the status of Deletion Protection changes from Disabled to Enabled. You can also click Disable Deletion Protection to disable deletion protection for the key. This way, the key can be deleted.

Schedule a key deletion task

After a key is deleted, it cannot be recovered. Data that is encrypted and data keys that are generated by using this key cannot be decrypted. To prevent misoperations, KMS does not allow you to directly delete a key. You can only schedule the deletion of a key. We recommend that you disable a key.

Note Make sure that deletion protection is disabled for a key before you can schedule a deletion task for the key.
  1. In the Keys section, find the key for which you want to schedule a deletion task and choose more > Schedule Key Deletion in the Actions column.
  2. In the Schedule Key Deletion dialog box, configure Delete In (7-30 days).
    Valid values of Delete In (7-30 days): 7 to 30. Unit: days. Default value: 30.
  3. Click OK.
    After the deletion of the key is scheduled, the status of the key changes to Pending Deletion. A key in the Pending Deletion state cannot be used for data encryption, data decryption, digital signature generation, or digital signature verification. You can also choose more > Cancel Key Deletion to cancel the scheduled key deletion task.