When a key outlives its usefulness, delete it from a key storage table. Enter the ENCRYPT /REMOVE_KEY command and specify the name under which the encrypted key value was stored in the key table. The key name is the character string previously defined with an ENCRYPT /CREATE_KEY command.

The ENCRYPT /REMOVE_KEY command has the following format:

ENCRYPT /REMOVE_KEY key-name [ qualifiers ]

By default, the ENCRYPT /REMOVE_KEY command deletes the key definition from the process key storage table. Logging out a process also removes a key definition from the process key storage table.

To remove a key definition from the job, group, or system storage table, specify the /JOB, /GROUP, or /SYSTEM qualifier with the ENCRYPT /REMOVE_KEY command. Just as you need privileges to create group or system keys, you need privileges to delete them.

For example, the following command deletes the HAMLET key from the system key storage table:

$ DECRYPT /REMOVE_KEY HAMLET /SYSTEM

To verify key removal, use the /LOG qualifier with the ENCRYPT /REMOVE_KEY command. The following command reports that the key HAMLET is removed:

$ ENCRYPT /REMOVE_KEY HAMLET /SYSTEM /LOG 
%ENCRYPT-S-KEYDEL, key deleted for key name = HAMLET