Get started
Yandex Key Management Service

Encrypting data using the Yandex.Cloud SDK

You can use Key Management Servicewith the Yandex.Cloud SDK. The SDK is available for Java, Go, Python, and Node.js.

The Yandex.Cloud SDK is most convenient for encrypting small amounts of data (the limit on the size of plaintext is 32 KB). To encrypt larger amounts of data, we recommend using the AWS Encryption SDK or Google Tink. They encrypt data using envelope encryption.

Adding dependencies

Before you start, you need to add dependencies.

Add dependencies using Apache Maven:

<dependency>
    <groupId>com.yandex.cloud</groupId>
    <artifactId>sdk</artifactId>
    <version>1.2.1</version>
</dependency>

Install the SDK:

go get github.com/yandex-cloud/go-sdk

Authentication

You can authenticate using:

Authentication using the service account linked to the Yandex.Cloud VM

Authenticate using the service account linked to the VM:

Credentials credentials = Auth.fromMetadata();

Authenticate using the service account linked to the VM:

credentials := ycsdk.InstanceServiceAccount()

Authentication using any service account

The key.json file must contain an authorized key for the service account. For information about how to create authorized keys, see Creating authorized keys.

Authenticate using any service account:

Credentials credentials = Auth.fromFile(Auth::apiKey, Paths.get("key.json"));

Authenticate using any service account:

authorizedKey, err := iamkey.ReadFromJSONFile("key.json")
if err != nil {...}
credentials, err := ycsdk.ServiceAccountKey(authorizedKey)
if err != nil {...}

Authentication using a Yandex account

The token variable is your OAuth token.

Authenticate using a Yandex account:

Credentials credentials = Auth.oauthToken(token);

Authenticate using a Yandex account:

credentials := ycsdk.OAuthToken(token)

Encrypting and decrypting data

Use the encrypt and decrypt methods to encrypt and decrypt data. The code uses the following variables:

  • keyId: ID of the KMS key.
  • plaintext: Unencrypted text (no more than 32 KB).
  • ciphertext: Encrypted text.
  • aad: AAD context.
ServiceFactoryConfig config = ServiceFactoryConfig.builder()
    .credentials(credentials)
    .build();
SymmetricCryptoServiceBlockingStub symmetricCryptoService = new ServiceFactory(config).create(
    SymmetricCryptoServiceBlockingStub.class,
    SymmetricCryptoServiceGrpc::newBlockingStub
);
...

byte[] ciphertext = symmetricCryptoService.encrypt(SymmetricEncryptRequest.newBuilder()
    .setKeyId(keyId)
    .setPlaintext(ByteString.copyFrom(plaintext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getCiphertext().toByteArray();

...

byte[] plaintext = symmetricCryptoService.decrypt(SymmetricDecryptRequest.newBuilder()
    .setKeyId(keyId)
    .setCiphertext(ByteString.copyFrom(ciphertext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getPlaintext().toByteArray();

sdk, err := ycsdk.Build(context, ycsdk.Config{
  Credentials: credentials,
})
if err != nil {...}

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Encrypt(context, &kms.SymmetricEncryptRequest{
  KeyId:      keyId,
  Plaintext:  plaintext,
  AadContext: aad,
})
if err != nil {...}
ciphertext := response.Ciphertext

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Decrypt(context, &kms.SymmetricDecryptRequest{
  KeyId:      keyId,
  Ciphertext: ciphertext,
  AadContext: aad,
})
if err != nil {...}
plaintext := response.Plaintext
In this article: