diff --git a/nova/compute/api.py b/nova/compute/api.py
index f977edcd2290..27eb71c5904d 100644
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@@ -26,6 +26,7 @@ import functools
 import re
 import string
 
+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_messaging import exceptions as oslo_exceptions
 from oslo_serialization import base64 as base64utils
@@ -59,7 +60,6 @@ from nova import exception_wrapper
 from nova import hooks
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova import network
 from nova.network import model as network_model
 from nova.network.security_group import openstack_driver
@@ -256,7 +256,7 @@ class API(base.Base):
         self.servicegroup_api = servicegroup.API()
         self.notifier = rpc.get_notifier('compute', CONF.host)
         if CONF.ephemeral_storage_encryption.enabled:
-            self.key_manager = keymgr.API()
+            self.key_manager = key_manager.API()
 
         super(API, self).__init__(**kwargs)
 
diff --git a/nova/conf/key_manager.py b/nova/conf/key_manager.py
index bafb2e04d392..d86182de7240 100644
--- a/nova/conf/key_manager.py
+++ b/nova/conf/key_manager.py
@@ -22,6 +22,8 @@ key_manager_group = cfg.OptGroup(
 
 key_manager_opts = [
     # TODO(raj_singh): Deprecate or move this option to The Castellan library
+    # NOTE(kfarr): The ability to use fixed_key should be deprecated and
+    # removed and Barbican should be tested in the gate instead
     cfg.StrOpt(
         'fixed_key',
         deprecated_group='keymgr',
diff --git a/nova/keymgr/__init__.py b/nova/keymgr/__init__.py
index 0d4f1a37ac0d..e69de29bb2d1 100644
--- a/nova/keymgr/__init__.py
+++ b/nova/keymgr/__init__.py
@@ -1,69 +0,0 @@
-# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-
-from oslo_config import cfg
-from oslo_log import log as logging
-from oslo_utils import importutils
-
-import nova.conf
-
-LOG = logging.getLogger(__name__)
-CONF = nova.conf.CONF
-
-# NOTE(kfarr): For backwards compatibility, everything below this comment
-# is deprecated for removal
-api_class = None
-try:
-    api_class = CONF.key_manager.api_class
-except cfg.NoSuchOptError:
-    LOG.warning("key_manager.api_class is not set, will use deprecated "
-                "option keymgr.api_class if set")
-    try:
-        api_class = CONF.keymgr.api_class
-    except cfg.NoSuchOptError:
-        LOG.warning("keymgr.api_class is not set")
-
-deprecated_barbican = 'nova.keymgr.barbican.BarbicanKeyManager'
-barbican = 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager'
-deprecated_mock = 'nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager'
-castellan_mock = ('castellan.tests.unit.key_manager.mock_key_manager.'
-                  'MockKeyManager')
-
-
-def log_deprecated_warning(deprecated, castellan):
-    LOG.warning("key manager api_class set to use deprecated option "
-                "%(deprecated)s, using %(castellan)s instead",
-                {'deprecated': deprecated, 'castellan': castellan})
-
-if api_class == deprecated_barbican:
-    log_deprecated_warning(deprecated_barbican, barbican)
-    api_class = barbican
-elif api_class == deprecated_mock:
-    log_deprecated_warning(deprecated_mock, castellan_mock)
-    api_class = castellan_mock
-elif api_class is None:
-    # TODO(kfarr): key_manager.api_class should be set in DevStack, and this
-    # block can be removed
-    LOG.warning("key manager not set, using insecure default %s",
-                castellan_mock)
-    api_class = castellan_mock
-
-CONF.set_override('api_class', api_class, 'key_manager')
-
-
-def API(conf=CONF):
-    cls = importutils.import_class(CONF.key_manager.api_class)
-    return cls(conf)
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index e5c55f07741d..8c235840abb4 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -41,6 +41,7 @@ import tempfile
 import time
 import uuid
 
+from castellan import key_manager
 import eventlet
 from eventlet import greenthread
 from eventlet import tpool
@@ -74,7 +75,6 @@ from nova import context as nova_context
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.network import model as network_model
 from nova import objects
 from nova.objects import diagnostics as diagnostics_obj
@@ -1184,9 +1184,8 @@ class LibvirtDriver(driver.ComputeDriver):
 
     def _get_volume_encryptor(self, connection_info, encryption):
         root_helper = utils.get_root_helper()
-        key_manager = keymgr.API(CONF)
         return encryptors.get_volume_encryptor(root_helper=root_helper,
-                                               keymgr=key_manager,
+                                               keymgr=key_manager.API(CONF),
                                                connection_info=connection_info,
                                                **encryption)
 
diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py
index a6cd05f7548d..cb6e122db62d 100644
--- a/nova/virt/libvirt/imagebackend.py
+++ b/nova/virt/libvirt/imagebackend.py
@@ -20,6 +20,7 @@ import functools
 import os
 import shutil
 
+from castellan import key_manager
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
 from oslo_utils import excutils
@@ -32,7 +33,6 @@ import nova.conf
 from nova import exception
 from nova.i18n import _
 from nova import image
-from nova import keymgr
 from nova.privsep import dac_admin
 from nova import utils
 from nova.virt.disk import api as disk
@@ -657,7 +657,7 @@ class Lvm(Image):
         self.ephemeral_key_uuid = instance.get('ephemeral_key_uuid')
 
         if self.ephemeral_key_uuid is not None:
-            self.key_manager = keymgr.API(CONF)
+            self.key_manager = key_manager.API(CONF)
         else:
             self.key_manager = None
 
diff --git a/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
new file mode 100644
index 000000000000..f318ea92d5cd
--- /dev/null
+++ b/releasenotes/notes/remove-deprecated-keymgr-db807dc76c83263e.yaml
@@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The old deprecated ``keymgr`` options have been removed.
+    Configuration options using the ``[keymgr]`` group will not be
+    applied anymore. Use the ``[key_manager]`` group from Castellan instead.
+    The Castellan ``api_class`` options should also be used instead, as most
+    of the options that lived in Nova have migrated to Castellan.
+
+    - Instead of ``api_class`` option ``nova.keymgr.barbican.BarbicanKeyManager``,
+      use ``castellan.key_manager.barbican_key_manager.BarbicanKeyManager``
+    - Instead of ``api_class`` option ``nova.tests.unit.keymgr.mock_key_mgr.MockKeyManager``,
+      use ``castellan.tests.unit.key_manager.mock_key_manager.MockKeyManager``
+    - ``nova.keymgr.conf_key_mgr.ConfKeyManager`` still remains, but the ``fixed_key``
+      configuration options should be moved to the ``[key_manager]`` section