A key cannot be recovered after being deleted, and all data encrypted with it cannot be decrypted. To prevent accidental deletion, KMS adopts a scheduled deletion mechanism, i.e., a mandatory waiting period of 7-30 days is imposed on a deletion operation. Within the waiting period, you can cancel the deletion.
You can log in to the KMS console or call KMS TCCLI to create and cancel a scheduled deletion task. This guide describes how to delete a key in the console.
The waiting period can be set to 7-30 days. After being deleted, a key cannot be recovered, and all data encrypted with it cannot be decrypted.
To prevent accidental deletion, the KMS automatic alarm will be triggered:
- Before a key is deleted, any attempt to call the key will trigger the alarm.
- The alarm will be triggered every day in the last 3 days before a key is deleted.