# Enable and disable keys
You can disable and re-enable customer managed keys. When you create a KMS key, it is enabled by default. If you disable a KMS key, it cannot be used in any [cryptographic operation](kms-cryptography.md#cryptographic-operations) until you re-enable it.
Because it's temporary and easily undone, disabling a KMS key is a safe alternative to deleting a KMS key, an action that is destructive and irreversible. If you are considering deleting a KMS key, disable it first and set a [CloudWatch alarm](deleting-keys-creating-cloudwatch-alarm.md) or similar mechanism to be certain that you'll never need to use the key to decrypt encrypted data.
When you disable a KMS key, it becomes unusable right away (subject to eventual consistency). However, resources encrypted with [data keys](data-keys.md) protected by the KMS key are not affected until the the KMS key is used again, such as to decrypt the data key. This issue affects Amazon Web Services services, many of which use data keys to protect your resources. For details, see [How unusable KMS keys affect data keys](unusable-kms-keys.md).
You cannot enable or disable [Amazon managed keys](concepts.md#aws-managed-key) or [Amazon owned keys](concepts.md#aws-owned-key). Amazon managed keys are permanently enabled for use by [services that use Amazon KMS](service-integration.md). Amazon owned keys are managed solely by the service that owns them.
**Note**
Amazon KMS does not rotate the key material of customer managed keys while they are disabled. For more information, see [How key rotation works](rotate-keys.md#rotate-keys-how-it-works).
## Using the Amazon KMS console
You can use the Amazon KMS console to enable and disable [customer managed keys](concepts.md#customer-mgn-key).
1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at [https://console.amazonaws.cn/kms](https://console.amazonaws.cn/kms).
1. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
1. In the navigation pane, choose **Customer managed keys**.
1. Choose the check box for the KMS keys that you want to enable or disable.
1. To enable a KMS key, choose **Key actions**, **Enable**. To disable a KMS key, choose **Key actions**, **Disable**.
## Using the Amazon KMS API
The [EnableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_EnableKey.html) operation enables a disabled Amazon KMS key. These examples use the [Amazon Command Line Interface (Amazon CLI)](http://www.amazonaws.cn/cli/), but you can use any supported programming language. The `key-id` parameter is required.
This operation does not return any output. To see the key status, use the [DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html) operation.
```
$ aws kms enable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
The [DisableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisableKey.html) operation disables an enabled KMS key. The `key-id` parameter is required.
```
$ aws kms disable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
```
This operation does not return any output. To see the key status, use the [DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html) operation, and see the `Enabled` field.
```
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Description": "",
"KeyManager": "CUSTOMER",
"MultiRegion": false,
"Enabled": false,
"KeyState": "Disabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"CreationDate": 1502910355.475,
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333"
"KeySpec": "SYMMETRIC_DEFAULT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
```