Reputation: 9183
What happens if I accidentally delete a key in Cloud KMS?
I accidentally destroyed key material for a key version that I was using in Cloud KMS. Is there any way I can recover the data encrypted with that key version?
Upvotes: 2
Views: 1708
Answers (1)
Reputation: 9183
Key material purposely has a configurable Scheduled for destruction state duration or delay for destruction. If it's still within that period, use restore to get back the key material for that key version. Note that this requires an Owner or a Cloud KMS Admin IAM role.
If it's been longer than the duration configured at creation time, that key material is gone. Unfortunately, that means that any data encrypted with that key is practically irrecoverable.
NOTE: As of 1-Feb-2024, the default duration of the Scheduled for destruction state is 30 days. (Before this date the default was 24 hours.)
To restore a key version using gcloud, run:
gcloud beta kms cryptokeys versions restore $VERSION_NUMBER \
--location LOCATION \
--keyring KEYRING_NAME \
--cryptokey CRYPTOKEY_NAME
Upvotes: 3
Related Questions
- Editing or deleting a key ring from the console
- Deleted aws kms key so can't able to access s3 objects
- What happens if the AWS Key for S3 encryption is lost?
- Destroying Keys With Rotation
- AWS: Is it possible to retrieve the content of key that stored in KMS?
- Google cloud KMS store custom keys
- Getting GKE secrets back even after deleting the KMS keys used for encryption
- AWS KMS storing customer master key
- Created key from wrong file, how could I modify it / work around the issue?
- Google App Engine (datastore) - will a deleted key regenerate?