[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003ePlatform Administrators (PAs) can delete Key Management System (KMS) keys, including AEAD and Signing keys, within a project namespace via the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eDeleting keys is irreversible, so users are cautioned that once deleted, keys cannot be retrieved.\u003c/p\u003e\n"],["\u003cp\u003eBefore deleting keys, users must configure \u003ccode\u003ekubectl\u003c/code\u003e to access the Management API server and obtain the KMS Admin (\u003ccode\u003ekms-admin\u003c/code\u003e) role within their project namespace.\u003c/p\u003e\n"],["\u003cp\u003eTo delete keys, the \u003ccode\u003ekubectl delete\u003c/code\u003e command must be used with the correct \u003ccode\u003eMANAGEMENT_API_SERVER\u003c/code\u003e, \u003ccode\u003eKEY_PRIMITIVE\u003c/code\u003e, and \u003ccode\u003ePROJECT\u003c/code\u003e values.\u003c/p\u003e\n"],["\u003cp\u003eTo delete all keys of all types, the \u003ccode\u003ekubectl delete\u003c/code\u003e command needs to be executed for each key primitive type, such as \u003ccode\u003eaeadkey\u003c/code\u003e and \u003ccode\u003esigningkey\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Wipe out KMS keys\n\n| **Warning:** Deleting keys is a total and complete wipeout. You cannot retrieve your keys after performing the actions on this page.\n\nThe Platform Administrator (PA) can delete Key Management System (KMS) keys in\nthe Management API server.\n\nThe PA can delete the AEAD and Signing keys in the project namespace.\nSee [Supported keys](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/kms/kms) for the full\nlist of KMS keys.\n\nBefore you begin\n----------------\n\nBefore continuing, ensure you do the following:\n\n- Configure `kubectl` to access the Management API server. Follow the steps in\n [Get a kubeconfig file](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-auth#get-kubeconfig) to\n use the `gdcloud` command-line interface (CLI).\n\n- Get the KMS Admin role to delete KMS keys. Ask your Organization IAM\n Admin to grant you the KMS Admin (`kms-admin`) role in your project namespace.\n\nDelete all keys\n---------------\n\nTo delete all keys in a project namespace, use the following\ncommand: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e \\\n delete \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e --namespace=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e --all\n\nReplace the following variables:\n\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig file of the Management API server. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in) the kubeconfig file if you don't have one.\n- \u003cvar translate=\"no\"\u003eKEY_PRIMITIVE\u003c/var\u003e: the keys you want to delete. For example: `aeadkey` for the `AEAD` key.\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e with the name of the project. For example: `kms-test1`.\n\n| **Note:** To delete keys of all primitive types, ensure to run the command for all possible key primitive types: aeadkey and signingkey."]]
