# Delete an Amazon CloudHSM key store
<a name="delete-keystore"></a>

When you delete an Amazon CloudHSM key store, Amazon KMS deletes all metadata about the Amazon CloudHSM key store from KMS, including information about its association with an Amazon CloudHSM cluster. This operation does not affect the Amazon CloudHSM cluster, its HSMs, or its users. You can create a new Amazon CloudHSM key store that is associated with the same Amazon CloudHSM cluster, but you cannot undo the delete operation.

You can only delete an Amazon CloudHSM key store that is disconnected from its Amazon CloudHSM cluster and does not contain any Amazon KMS keys. Before you delete a custom key store, do the following.
+ Verify that you will never need to use any of the KMS keys in the key store for any [cryptographic operations](manage-cmk-keystore.md#use-cmk-keystore). Then [schedule deletion](deleting-keys.md#delete-cmk-keystore) of all of the KMS keys from the key store. For help finding the KMS keys in an Amazon CloudHSM key store, see [Find the KMS keys in an Amazon CloudHSM key store](find-cmk-in-keystore.md).
+ Confirm that all KMS keys have been deleted. To view the KMS keys in an Amazon CloudHSM key store, see [Identify KMS keys in Amazon CloudHSM key stores](identify-key-types.md#identify-key-hsm-keystore).
+ [Disconnect the Amazon CloudHSM key store](disconnect-keystore.md) from its Amazon CloudHSM cluster.

Instead of deleting the Amazon CloudHSM key store, consider [disconnecting it](disconnect-keystore.md) from its associated Amazon CloudHSM cluster. While an Amazon CloudHSM key store is disconnected, you can manage the Amazon CloudHSM key store and its Amazon KMS keys. But you cannot create or use KMS keys in the Amazon CloudHSM key store. You can reconnect the Amazon CloudHSM key store at any time.

## Delete your Amazon CloudHSM key store
<a name="delete-hsm-keystore"></a>

You can delete your Amazon CloudHSM key store in the Amazon KMS console or by using the [DeleteCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteCustomKeyStore.html) operation.

### Using the Amazon KMS console
<a name="delete-keystore-console"></a>

To delete an Amazon CloudHSM key store in the Amazon Web Services Management Console, begin by selecting the Amazon CloudHSM key store from the **Custom key stores** page.

1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at [https://console.amazonaws.cn/kms](https://console.amazonaws.cn/kms).

1. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Custom key stores**, **Amazon CloudHSM key stores**.

1. Find the row that represents the Amazon CloudHSM key store that you want to delete. If the **Connection state** of the Amazon CloudHSM key store is not **Disconnected**, you must [disconnect the Amazon CloudHSM key store](disconnect-keystore.md) before you delete it.

1. From the **Key store actions** menu, choose **Delete**.

When the operation completes, a success message appears and the Amazon CloudHSM key store no longer appears in the key stores list. If the operation is unsuccessful, an error message appears that describes the problem and provides help on how to fix it. If you need more help, see [Troubleshooting a custom key store](fix-keystore.md).

### Using the Amazon KMS API
<a name="delete-keystore-api"></a>

To delete an Amazon CloudHSM key store, use the [DeleteCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteCustomKeyStore.html) operation. If the operation is successful, Amazon KMS returns an HTTP 200 response and a JSON object with no properties.

To begin, verify that the Amazon CloudHSM key store does not contain any Amazon KMS keys. You cannot delete a custom key store that contains KMS keys. The first example command uses [ListKeys](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeys.html) and [DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html) to search for Amazon KMS keys in the Amazon CloudHSM key store with the example {{cks-1234567890abcdef0}} custom key store ID. In this case, the command does not return any KMS keys. If it does, use the [ScheduleKeyDeletion](https://docs.amazonaws.cn/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation to schedule deletion of each of the KMS keys.

------
#### [ Bash ]

```
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; 
do aws kms describe-key --key-id $key | 
grep '"CustomKeyStoreId": "{{cks-1234567890abcdef0}}"' --context 100; done
```

------
#### [ PowerShell ]

```
PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreId -eq '{{cks-1234567890abcdef0}}'
```

------

Next, disconnect the Amazon CloudHSM key store. This example command uses the [DisconnectCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisconnectCustomKeyStore.html) operation to disconnect an Amazon CloudHSM key store from its Amazon CloudHSM cluster. Before running this command, replace the example custom key store ID with a valid one.

------
#### [ Bash ]

```
$ aws kms disconnect-custom-key-store --custom-key-store-id {{cks-1234567890abcdef0}}
```

------
#### [ PowerShell ]

```
PS C:\> Disconnect-KMSCustomKeyStore -CustomKeyStoreId {{cks-1234567890abcdef0}}
```

------

After the custom key store is disconnected, you can use the [DeleteCustomKeyStore](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteCustomKeyStore.html) operation to delete it. 

------
#### [ Bash ]

```
$ aws kms delete-custom-key-store --custom-key-store-id {{cks-1234567890abcdef0}}
```

------
#### [ PowerShell ]

```
PS C:\> Remove-KMSCustomKeyStore -CustomKeyStoreId {{cks-1234567890abcdef0}}
```

------