Delete an AWS CloudHSM key using KMU
Use the deleteKey command in the AWS CloudHSM key_mgmt_util to delete a key from the hardware security module (HSM) in an AWS CloudHSM cluster. You can only delete one key at a time. Deleting one key in a key pair has no effect on the other key in the pair.
Only the key owner can delete a key. Users who share the key can use it in cryptographic operations, but not delete it.
Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).
Syntax
deleteKey -h deleteKey -k
Examples
These examples show how to use deleteKey to delete keys from your HSMs.
Example : Delete a key
This command deletes the key with key handle 6
. When the command succeeds,
deleteKey returns success messages from each HSM in the cluster.
Command:
deleteKey -k 6
Cfm3DeleteKey returned: 0x00 : HSM Return: SUCCESS Cluster Error Status Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 2 and err state 0x00000000 : HSM Return: SUCCESS
Example : Delete a key (failure)
When the command fails because no key has the specified key handle, deleteKey returns an invalid object handle error message.
Command:
deleteKey -k 252126
Cfm3FindKey returned: 0xa8 : HSM Error: Invalid object handle is passed to this operation Cluster Error Status Node id 1 and err state 0x000000a8 : HSM Error: Invalid object handle is passed to this operation Node id 2 and err state 0x000000a8 : HSM Error: Invalid object handle is passed to this operation
When the command fails because the current user is not the owner of the key, the command returns an access denied error.
Command:
deleteKey -k 262152
Cfm3DeleteKey returned: 0xc6 : HSM Error: Key Access is denied.
Parameters
- -h
-
Displays command line help for the command.
Required: Yes
- -k
-
Specifies the key handle of the key to delete. To find the key handles of keys in the HSM, use findKey.
Required: Yes