Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Keys
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Keys
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Quotas and limits
  • Use cases
    • All use cases
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the Yandex.Cloud CLI and API
      • Encrypting data using the Yandex.Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. API reference
  2. gRPC
  3. SymmetricCryptoService

SymmetricCryptoService

  • Calls SymmetricCryptoService
  • Encrypt
    • SymmetricEncryptRequest
    • SymmetricEncryptResponse
  • Decrypt
    • SymmetricDecryptRequest
    • SymmetricDecryptResponse
  • ReEncrypt
    • SymmetricReEncryptRequest
    • SymmetricReEncryptResponse
  • GenerateDataKey
    • GenerateDataKeyRequest
    • GenerateDataKeyResponse

--- Data plane for KMS symmetric cryptography operations
Set of methods that perform symmetric encryption and decryption.

Call Description
Encrypt Encrypts given plaintext with the specified key.
Decrypt Decrypts the given ciphertext with the specified key.
ReEncrypt Re-encrypts a ciphertext with the specified KMS key.
GenerateDataKey Generates a new symmetric data encryption key (not a KMS key) and returns the generated key as plaintext and as ciphertext encrypted with the specified symmetric KMS key.

Calls SymmetricCryptoService

Encrypt

Encrypts given plaintext with the specified key.

rpc Encrypt (SymmetricEncryptRequest) returns (SymmetricEncryptResponse)

SymmetricEncryptRequest

Field Description
key_id string
Required. ID of the symmetric KMS key to use for encryption. The maximum string length in characters is 50.
version_id string
ID of the key version to encrypt plaintext with. Defaults to the primary version if not specified. The maximum string length in characters is 50.
aad_context bytes
Additional authenticated data (AAD context), optional. If specified, this data will be required for decryption with the SymmetricDecryptRequest. Should be encoded with base64. The maximum string length in characters is 8192.
plaintext bytes
Required. Plaintext to be encrypted. Should be encoded with base64. The maximum string length in characters is 32768.

SymmetricEncryptResponse

Field Description
key_id string
Required. ID of the symmetric KMS key that was used for encryption. The maximum string length in characters is 50.
version_id string
ID of the key version that was used for encryption. The maximum string length in characters is 50.
ciphertext bytes
Resulting ciphertext.

Decrypt

Decrypts the given ciphertext with the specified key.

rpc Decrypt (SymmetricDecryptRequest) returns (SymmetricDecryptResponse)

SymmetricDecryptRequest

Field Description
key_id string
Required. ID of the symmetric KMS key to use for decryption. The maximum string length in characters is 50.
aad_context bytes
Additional authenticated data, must be the same as was provided in the corresponding SymmetricEncryptRequest. Should be encoded with base64. The maximum string length in characters is 8192.
ciphertext bytes
Required. Ciphertext to be decrypted. Should be encoded with base64.

SymmetricDecryptResponse

Field Description
key_id string
ID of the symmetric KMS key that was used for decryption.
version_id string
ID of the key version that was used for decryption.
plaintext bytes
Decrypted plaintext.

ReEncrypt

Re-encrypts a ciphertext with the specified KMS key.

rpc ReEncrypt (SymmetricReEncryptRequest) returns (SymmetricReEncryptResponse)

SymmetricReEncryptRequest

Field Description
key_id string
Required. ID of the new key to be used for encryption. The maximum string length in characters is 50.
version_id string
ID of the version of the new key to be used for encryption. Defaults to the primary version if not specified. The maximum string length in characters is 50.
aad_context bytes
Additional authenticated data to be required for decryption. Should be encoded with base64. The maximum string length in characters is 8192.
source_key_id string
Required. ID of the key that the ciphertext is currently encrypted with. May be the same as for the new key. The maximum string length in characters is 50.
source_aad_context bytes
Additional authenticated data provided with the initial encryption request. Should be encoded with base64. The maximum string length in characters is 8192.
ciphertext bytes
Required. Ciphertext to re-encrypt. Should be encoded with base64.

SymmetricReEncryptResponse

Field Description
key_id string
ID of the key that the ciphertext is encrypted with now.
version_id string
ID of key version that was used for encryption.
source_key_id string
ID of the key that the ciphertext was encrypted with previously.
source_version_id string
ID of the key version that was used to decrypt the re-encrypted ciphertext.
ciphertext bytes
Resulting re-encrypted ciphertext.

GenerateDataKey

Generates a new symmetric data encryption key (not a KMS key) and returns the generated key as plaintext and as ciphertext encrypted with the specified symmetric KMS key.

rpc GenerateDataKey (GenerateDataKeyRequest) returns (GenerateDataKeyResponse)

GenerateDataKeyRequest

Field Description
key_id string
Required. ID of the symmetric KMS key that the generated data key should be encrypted with. The maximum string length in characters is 50.
version_id string
ID of the key version to encrypt the generated data key with. Defaults to the primary version if not specified. The maximum string length in characters is 50.
aad_context bytes
Additional authenticated data (AAD context), optional. If specified, this data will be required for decryption with the SymmetricDecryptRequest. Should be encoded with base64. The maximum string length in characters is 8192.
data_key_spec enum SymmetricAlgorithm
Encryption algorithm and key length for the generated data key.
  • AES_128: AES algorithm with 128-bit keys.
  • AES_192: AES algorithm with 192-bit keys.
  • AES_256: AES algorithm with 256-bit keys.
    skip_plaintext bool
    If true, the method won't return the data key as plaintext. Default value is false.

    GenerateDataKeyResponse

    Field Description
    key_id string
    ID of the symmetric KMS key that was used to encrypt the generated data key.
    version_id string
    ID of the key version that was used for encryption.
    data_key_plaintext bytes
    Generated data key as plaintext. The field is empty, if the GenerateDataKeyRequest.skip_plaintext parameter was set to true.
    data_key_ciphertext bytes
    The encrypted data key.
    In this article:
    • Calls SymmetricCryptoService
    • Encrypt
    • SymmetricEncryptRequest
    • SymmetricEncryptResponse
    • Decrypt
    • SymmetricDecryptRequest
    • SymmetricDecryptResponse
    • ReEncrypt
    • SymmetricReEncryptRequest
    • SymmetricReEncryptResponse
    • GenerateDataKey
    • GenerateDataKeyRequest
    • GenerateDataKeyResponse
    Language
    Careers
    Privacy policy
    Terms of use
    © 2021 Yandex.Cloud LLC