Deleting an encryption key
The keydelete
command removes a key for secure property
encryption.
You can run the tool in dry-run mode such that the keystore is not modified and the tool only demonstrates the change. The --change-keystore argument is required to cause the tool to complete the change.
The keydelete tool can be run while the server is online. In an HA cluster, you must run the tool on only one cluster member because all members share the same keystore.
Note:
- The keydelete tool cannot remove the primary encryption key.
- The tool can only determine the primary key for the local server member in an HA cluster. It cannot detect if other members have configured a different primary key. For best results, set up the cluster so that all members use the same primary key.
Note: Do not delete keys unless you have a
compelling reason to do so. Only the primary key is used for encrypting new
secure data. After the previous data is re-encrypted with the new key by using
the keyrotate tool, previous keys are not used in normal operation. In some
scenarios, you might require previous keys, such as decrypting data that you
restore from a backup that used previous keys or when importing configurations
that were created with a previous key. Retain previous keys for these kinds of
scenarios.
To delete an encryption key: