Deleting an Encryption Key (CLI)

Deleting an encryption key is a fast and effective way to make large amounts of data inaccessible. Keys can be deleted even if they are in use. If the key is in use, a warning is given and confirmation is required. All shares, projects, or pools that use that key are unshared and can no longer be accessed by clients.

If you might use a LOCAL key again to access its associated shares, back up the key name and value before deleting the key. Then you can later perform a restore procedure as described in Restoring a LOCAL Key (CLI).

When an encryption key that is in use by a pool, project, or share is deleted, all affected pools, projects, and shares are listed as dependents for the key. When the key is deleted, the keystatus property value changes to unavailable.

Use the following procedure to delete an encryption key.

1. Go to shares encryption.
2. Go to the appropriate keystore configuration.
3. Delete the key.

   Use the destroy keyname command to delete a key.

   hostname:shares encryption local local_keys> destroy keyname=MyKey
   
   This key has the following dependent shares:
   
       pool-1
       pool-1/local/default
       pool-1/local/default/fs-1
   
   Destroying this key will render the data inaccessible. Are you sure? (Y/N)

   Read the warning and confirm that you want to delete the key.

   When a key is deleted, all of the data in all of the pools and shares that use the key becomes inaccessible. This is equivalent to secure data destruction and is permanent and irrevocable unless you have prepared for key restoration by backing up the key. For more information about key backup and restoration, see Backing Up a LOCAL Key (CLI) and Restoring a LOCAL Key (CLI).

4. Verify that a share is no longer accessible by using that key.
   • The value of the keystatus property changes to unavailable.
   • The keystatus property is marked as a critical property.
   • The missing key is treated as an error.

   hostname:> shares select default select fs-1
   hostname:shares default/fs-1> get encryption keystore keyname keystatus
   
                      encryption = aes-128-ccm (inherited)
                         keystore = LOCAL (inherited)
                          keyname = MyKey (inherited)
                        keystatus = unavailable
   
   Errors:
               key_unavailable

5. To list dependents, use the following CLI commands:

   hostname:shares (pool-1) encryption local keys> select keyname=1 hostname:shares
          (pool-010) encryption local key-002> list
   
   Properties:
                           cipher = AES
                          keyname = 1
   
   hostname:shares (pool-010) encryption local key-002> list dependents DEPENDENTS
           pool-010/local/default/a hostname:shares (pool-010) encryption local key-002>

Related Topics

• Changing a Share Encryption Key (CLI)

• Backing Up a LOCAL Key (CLI)

• Restoring a LOCAL Key (CLI)