You should not remove an encryption settings definition that the server is currently using because it will no longer be possible to access any data encrypted by the removed definition. In some cases, removing a definition used to encrypt live data in the database (which can include local DB backends, the replication database, or the LDAP changelog) prevents the server from starting or accessing content in the backend.


Do not remove encryption settings definitions unless there is reason to believe they are compromised. If you believe a key has been compromised, see Handling compromised encryption settings definitions for details on safely removing that key.

To delete an encryption settings definition:

  • Use the encryption-settings command with the delete subcommand.

    Make sure to include the --id argument to specify the definition.

    Argument Description

    --id <id> (required)

    Specifies the ID of the encryption settings definition to delete.

    $ bin/encryption-settings delete --id F635E109A8549651025D01D9A6A90F7C9017C66D
    Successfully deleted encryption settings definition