From 6e5585f22b4b7d0d5a40e38939272344aeae748e Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Fri, 12 Jun 2026 22:57:13 +0000
Subject: [PATCH] docs: remove CMEK v1 migration page

---
 _site/redirects.json                          |   4 +
 products/cloud/guides/index.mdx               |   1 -
 .../cloud/guides/security/cmek-migration.mdx  | 104 ------------------
 products/cloud/navigation.json                |   3 +-
 4 files changed, 5 insertions(+), 107 deletions(-)
 delete mode 100644 products/cloud/guides/security/cmek-migration.mdx

diff --git a/_site/redirects.json b/_site/redirects.json
index 574493ca0..d2b3d7d43 100644
--- a/_site/redirects.json
+++ b/_site/redirects.json
@@ -2706,5 +2706,9 @@
   {
     "destination": "https://clickhouse.com/blog/ai-redrawing-database-market",
     "source": "/get-started/use-cases/machine-learning-and-genai/agent-facing-analytics"
+  },
+  {
+    "destination": "/products/cloud/guides/security/cmek",
+    "source": "/products/cloud/guides/security/cmek-migration"
   }
 ]
\ No newline at end of file
diff --git a/products/cloud/guides/index.mdx b/products/cloud/guides/index.mdx
index de8a69714..c2ba1fe28 100644
--- a/products/cloud/guides/index.mdx
+++ b/products/cloud/guides/index.mdx
@@ -61,7 +61,6 @@ keywords: ['cloud guides', 'documentation', 'how-to', 'cloud features', 'tutoria
 | [Manage my account](/products/cloud/guides/security/cloud-access-management/manage-my-account) | This page describes how you can accept invitations, manage MFA settings, and reset passwords |
 | [Manage SQL console role assignments](/products/cloud/guides/security/cloud-access-management/manage-sql-console-role-assignments) | Guide showing how to manage SQL console role assignments |
 | [Managing AWS service limits and quotas](/products/bring-your-own-cloud/reference/aws-service-limits) | AWS service quotas to verify before BYOC onboarding, how to request increases, and what to monitor as services scale |
-| [Migrating from CMEK v1 to v2](/products/cloud/guides/security/cmek-migration) | Migration instructions to move from legacy CMEK to version 2 |
 | [Multi tenancy](/products/cloud/guides/best-practices/multitenancy) | Best practices to implement multi tenancy |
 | [Optimizing ClickHouse Assistant agent conversations with a semantic layer](/products/cloud/features/ai-ml/aichat/customizing-semantic-layer) | Guide to using AGENTS.md to provide custom business logic and data-specific instructions to the ClickHouse Assistant chat agent |
 | [Overview](/products/cloud/guides/infrastructure/deployment-options/byoc/overview) | Deploy ClickHouse on your own cloud infrastructure |
diff --git a/products/cloud/guides/security/cmek-migration.mdx b/products/cloud/guides/security/cmek-migration.mdx
deleted file mode 100644
index 07082a8b1..000000000
--- a/products/cloud/guides/security/cmek-migration.mdx
+++ /dev/null
@@ -1,104 +0,0 @@
----
-sidebarTitle: 'Legacy CMEK migration'
-slug: /cloud/security/cmek-migration
-title: 'Migrating from CMEK v1 to v2'
-description: 'Migration instructions to move from legacy CMEK to version 2'
-doc_type: 'guide'
-keywords: ['ClickHouse Cloud', 'encryption', 'CMEK']
----
-
-We're improving the security of customer managed encryption keys (CMEK) services. All services are now configured with a unique AWS role per service to authorize using customer keys to encrypt and decrypt services. This new role is only shown in the service configuration screen.
-
-OpenAPI and Terraform are both supported for this new process. For more information, check out our docs ([Enhanced Encryption](/products/cloud/guides/security/cmek), [Cloud API](/products/cloud/features/admin-features/api/api-overview), [Official Terraform Provider](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs)). 
-
-<Warning>
-Customers utilizing CMEK v1 must migrate services no later than June 1st, 2026. After this date customer managed keys will be rotated to ClickHouse managed keys by default. Customers may rotate back to customer managed keys after the default migration.
-</Warning>
-
-## Manual migration {#manual-migration}
-
-Complete the following steps to migrate to the new process:
-1. Sign in to https://console.clickhouse.cloud 
-2. Click on the encrypted service
-3. Click on Service Settings on the left
-4. Scroll to the bottom of the screen and expand View service details
-5. Copy the Encryption Role ID (IAM)
-6. Go to your KMS key in AWS and update the Key Policy to add the following:
-```json
-{
-   "Sid": "Allow ClickHouse Access",
-   "Effect": "Allow",
-   "Principal": {
-       "AWS": ["Encryption role ID (ARN)"]
-   },
-   "Action": [
-       "kms:Encrypt",
-       "kms:Decrypt",
-       "kms:ReEncrypt*",
-       "kms:DescribeKey"
-   ],
-   "Resource": "*"
-}
-```
-7. In ClickHouse Cloud, open a support case to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service.
-8. Once we restart the service, go to your KMS key in AWS and remove the following from the Key Policy:
-```json
-{
-   "Sid": "Allow ClickHouse Access",
-       "Effect": "Allow",
-       "Principal": {
-           "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role"
-       },
-       "Action": ["kms:GetPublicKey",
-       "kms:Decrypt",
-       "kms:GenerateDataKeyPair",
-       "kms:Encrypt",
-       "kms:GetKeyRotationStatus",
-       "kms:GenerateDataKey",
-       "kms:DescribeKey"],
-       "Resource": "*"
-}
-```
-9. The update is complete!
-
-## Terraform migration {#terraform-migration}
-1. Update to [Terraform version 3.5.0 or higher](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs)
-2. Apply Terraform without changes. A new field for transparent_data_encryption will appear in the Terraform state. Make note of the role_id here.
-3. Go to your KMS key in AWS and update the Key Policy to add the following:
-```json
-{
-   "Sid": "Allow ClickHouse Access",
-   "Effect": "Allow",
-   "Principal": {
-       "AWS": ["Encryption role ID (ARN)"]
-   },
-   "Action": [
-       "kms:Encrypt",
-       "kms:Decrypt",
-       "kms:ReEncrypt*",
-       "kms:DescribeKey"
-   ],
-   "Resource": "*"
-}
-```
-4. In ClickHouse Cloud, open a support case with the service name to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service.
-5. After we restart the service, you can update the transparent_data_encryption.enabled setting to ‘True’ and remove the tier setting in Terraform and apply. This will result in no changes.
-6. Go to your KMS key in AWS and remove the following from the Key Policy:
-```json
-{
-   "Sid": "Allow ClickHouse Access",
-       "Effect": "Allow",
-       "Principal": {
-           "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role"
-       },
-       "Action": ["kms:GetPublicKey",
-       "kms:Decrypt",
-       "kms:GenerateDataKeyPair",
-       "kms:Encrypt",
-       "kms:GetKeyRotationStatus",
-       "kms:GenerateDataKey",
-       "kms:DescribeKey"],
-       "Resource": "*"
-}
-```
-7. The update is complete!
diff --git a/products/cloud/navigation.json b/products/cloud/navigation.json
index 7e36ef491..dc0499ae4 100644
--- a/products/cloud/navigation.json
+++ b/products/cloud/navigation.json
@@ -323,8 +323,7 @@
                   "expanded": false,
                   "pages": [
                     "products/cloud/guides/security/data-masking",
-                    "products/cloud/guides/security/cmek",
-                    "products/cloud/guides/security/cmek-migration"
+                    "products/cloud/guides/security/cmek"
                   ]
                 },
                 {