Skip to main content
After you delete a key in Key Management Service (KMS), you can no longer use it for cryptographic operations. A deleted key is retained for 30 days. During that period, you can restore the key. Otherwise, the key is permanently removed after 30 days.

Prerequisites

Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. Alternatively, you can have an access permit with the editor role assigned to the required key. To check your access rights, go to the Administration → IAM section in the web console.

How to delete a key

To delete a key, run the delete command for your key type:
  • Symmetric key: 
    nebius kms symmetric-key delete --id kmssymkey-e0***
  • Asymmetric key: 
    nebius kms asymmetric-key delete --id kmsasymkey-e0***
The command output shows that the key is deleted: status: {}.
  • Symmetric key: 
    nebius kms symmetric-key list
  • Asymmetric key: 
    nebius kms asymmetric-key list

How to restore a key

You can restore keys up to 30 days after their deletion. To restore a key, run the undelete command for your key type:
  • Symmetric key: 
    nebius kms symmetric-key undelete --id kmssymkey-e0*** --name <new_key_name>
  • Asymmetric key: 
    nebius kms asymmetric-key undelete --id kmsasymkey-e0*** --name <new_key_name>
Use the --show-scheduled-for-deletion parameter in the list command to see keys scheduled for deletion:
  • Symmetric key: 
    nebius kms symmetric-key list --show-scheduled-for-deletion
  • Asymmetric key: 
    nebius kms asymmetric-key list --show-scheduled-for-deletion
In the undelete command, use the --name parameter to restore the key with a new name. This is needed when you have another key that reserves the original name. The parameter allows you to have different keys with unique names. The command output shows that the key is active again: status.state: ACTIVE.