Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Key Management Service API, REST: SymmetricKey.Delete

Written by
Updated at December 17, 2024

Deletes the specified symmetric KMS key. This action also automatically schedules
the destruction of all of the key's versions in 72 hours.

The key and its versions appear absent in SymmetricKeyService.Get and SymmetricKeyService.List
requests, but can be restored within 72 hours with a request to tech support.

HTTP request

DELETE https://kms.api.cloud.yandex.net/kms/v1/keys/{keyId}

Path parameters

Field

Description

keyId

string

Required field. ID of the key to be deleted.

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": {
    "keyId": "string"
  },
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": {
    "id": "string",
    "folderId": "string",
    "createdAt": "string",
    "name": "string",
    "description": "string",
    "labels": "object",
    "status": "string",
    "primaryVersion": {
      "id": "string",
      "keyId": "string",
      "status": "string",
      "algorithm": "string",
      "createdAt": "string",
      "primary": "boolean",
      "destroyAt": "string",
      "hostedByHsm": "boolean"
    },
    "defaultAlgorithm": "string",
    "rotatedAt": "string",
    "rotationPeriod": "string",
    "deletionProtection": "boolean"
  }
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field

Description

id

string

ID of the operation.

description

string

Description of the operation. 0-256 characters long.

createdAt

string (date-time)

Creation timestamp.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

createdBy

string

ID of the user or service account who initiated the operation.

modifiedAt

string (date-time)

The time when the Operation resource was last modified.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

done

boolean

If the value is false, it means the operation is still in progress.
If true, the operation is completed, and either error or response is available.

metadata

DeleteSymmetricKeyMetadata

Service-specific metadata associated with the operation.
It typically contains the ID of the target resource that the operation is performed on.
Any method that returns a long-running operation should document the metadata type, if any.

error

Status

The error result of the operation in case of failure or cancellation.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

response

SymmetricKey

The normal response of the operation in case of success.
If the original method returns no data on success, such as Delete,
the response is google.protobuf.Empty.
If the original method is the standard Create/Update,
the response should be the target resource of the operation.
Any method that returns a long-running operation should document the response type, if any.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

DeleteSymmetricKeyMetadata

Field

Description

keyId

string

ID of the key being deleted.

Status

The error result of the operation in case of failure or cancellation.

Field

Description

code

integer (int32)

Error code. An enum value of google.rpc.Code.

message

string

An error message.

details[]

object

A list of messages that carry the error details.

SymmetricKey

A symmetric KMS key that may contain several versions of the cryptographic material.

Field

Description

id

string

ID of the key.

folderId

string

ID of the folder that the key belongs to.

createdAt

string (date-time)

Time when the key was created.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

name

string

Name of the key.

description

string

Description of the key.

labels

object (map<string, string>)

Custom labels for the key as key:value pairs. Maximum 64 per key.

status

enum (Status)

Current status of the key.

  • STATUS_UNSPECIFIED
  • CREATING: The key is being created.
  • ACTIVE: The key is active and can be used for encryption and decryption.
    Can be set to INACTIVE using the SymmetricKeyService.Update method.
  • INACTIVE: The key is inactive and unusable.
    Can be set to ACTIVE using the SymmetricKeyService.Update method.

primaryVersion

SymmetricKeyVersion

Primary version of the key, used as the default for all encrypt/decrypt operations,
when no version ID is specified.

defaultAlgorithm

enum (SymmetricAlgorithm)

Default encryption algorithm to be used with new versions of the key.

  • SYMMETRIC_ALGORITHM_UNSPECIFIED
  • AES_128: AES algorithm with 128-bit keys.
  • AES_192: AES algorithm with 192-bit keys.
  • AES_256: AES algorithm with 256-bit keys.
  • AES_256_HSM: AES algorithm with 256-bit keys hosted by HSM

rotatedAt

string (date-time)

Time of the last key rotation (time when the last version was created).
Empty if the key does not have versions yet.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

rotationPeriod

string (duration)

Time period between automatic key rotations.

deletionProtection

boolean

Flag that inhibits deletion of the key

SymmetricKeyVersion

Symmetric KMS key version: metadata about actual cryptographic data.

Field

Description

id

string

ID of the key version.

keyId

string

ID of the symmetric KMS key that the version belongs to.

status

enum (Status)

Status of the key version.

  • STATUS_UNSPECIFIED
  • ACTIVE: The version is active and can be used for encryption and decryption.
  • SCHEDULED_FOR_DESTRUCTION: The version is scheduled for destruction, the time when it will be destroyed
    is specified in the SymmetricKeyVersion.destroyAt field.
  • DESTROYED: The version is destroyed and cannot be recovered.

algorithm

enum (SymmetricAlgorithm)

Encryption algorithm that should be used when using the key version to encrypt plaintext.

  • SYMMETRIC_ALGORITHM_UNSPECIFIED
  • AES_128: AES algorithm with 128-bit keys.
  • AES_192: AES algorithm with 192-bit keys.
  • AES_256: AES algorithm with 256-bit keys.
  • AES_256_HSM: AES algorithm with 256-bit keys hosted by HSM

createdAt

string (date-time)

Time when the key version was created.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

primary

boolean

Indication of a primary version, that is to be used by default for all cryptographic
operations that don't have a key version explicitly specified.

destroyAt

string (date-time)

Time when the key version is going to be destroyed. Empty unless the status
is SCHEDULED_FOR_DESTRUCTION.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

hostedByHsm

boolean

Indication of the version that is hosted by HSM.
Previous
Update
Next
SetPrimaryVersion