Purging Deleted Keys

Purging deleted or missing private and authorised keys from Key Manager database can be done to shrink database size and clear up situations when the system has been accumulating key data over longer period of time.

To purge deleted or missing keys:

Add a request using the command-line client in the following manner:
```
$ ssh-mgr-client add-request -d \
request_type=purge_deleted_keys,choice=auth_key,purge_not_after=-6m
```
The choice parameter can be either auth_key, or private_key, depending whether you wish to purge authorized or private keys. The purge_not_after parameter takes a time value that can be relative, like in the example (-6m, for past six months), or an absolute timestamp.

note
It is recommended that you do not purge all deleted keys, but leave at least six months' worth of deleted keys in the system. This is so that past key activities can be traced back to the actual keys that may have been deleted.
The request starts the purge job automatically in staging mode, and once the job is finished, the key counts to be purged can be checked from the request, which will wait for approval.
After the request is approved, the job will continue with the purging of the keys.

caution
The purging of the keys is permanent, and can not be reversed. For this reason, by default, purging deleted or missing keys requires an explicit approval by a second Key Manager administrator. This is controlled by the setting, Approval policy for requests not affiliated with applications. To adjust whether or not approval is required, you can set the value of this setting in Settings→General→Global page. If the value of this setting is set to 0, the staging part of the purge job will be skipped, and the job will proceed straight to purge after the request creation without any need for approvals.