Wipe out KMS keys

The Platform Administrator (PA) can delete Key Management System (KMS) keys in the Management API server.

The PA can delete the AEAD and Signing keys in the project namespace. See Supported keys for the full list of KMS keys.

Before you begin

Before deleting KMS keys, you must request the necessary permissions and prepare your environment.

Request IAM roles

Contact your Organization IAM Admin to request the following roles:

  • KMS Admin (kms-admin): create, update, delete, and use KMS keys in your project namespace.
  • Global MZAEADKey Deleter (global-mzaeadkey-deleter): delete multi-zone AEAD keys in your project namespace.

Prepare your environment

Delete all keys

You can delete zonal keys from the management API server or multi-zone keys from the global API server.

Delete all zonal keys

To delete all zonal keys in a project namespace, use the following command:

kubectl --kubeconfig MANAGEMENT_API_SERVER_KUBECONFIG \
  delete KEY_PRIMITIVE --namespace=PROJECT --all

Replace the following:

  • MANAGEMENT_API_SERVER_KUBECONFIG: the kubeconfig file of the management API server.
  • KEY_PRIMITIVE: the key you want to delete. For example: aeadkey for the AEAD key.
  • PROJECT: the name of the project. For example: kms-test1.

Delete all multi-zone keys

To delete all multi-zone keys in a project namespace, use the following command:

kubectl --kubeconfig GLOBAL_API_SERVER_KUBECONFIG \
  delete mzaeadkey --namespace=PROJECT --all

Replace the following:

  • GLOBAL_API_SERVER_KUBECONFIG: the kubeconfig file of the global API server.
  • PROJECT: the name of the project. For example: kms-test1.