Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Keys
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Keys
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Quotas and limits
  • Use cases
    • All use cases
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the Yandex.Cloud CLI and API
      • Encrypting data using the Yandex.Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. Step-by-step instructions
  2. Data encryption

Encrypting data using the Yandex.Cloud CLI and API

  • Before you start
  • Encrypt data
  • Decrypt data

In KMS, you can encrypt and decrypt small amounts of data (up to 32 KB). For more information about available encryption methods, see Which encryption method should I choose?

Before you start

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

Encrypt data

CLI
API
Yandex.Cloud SDK
AWS Encryption SDK
Google Tink

The command encrypts the plaintext passed in the --plaintext-file and writes the resulting ciphertext to the --ciphertext-file.

  • --id: ID of the KMS key, make sure you set either the --id or --name flag.
  • --name: Name of the KMS key, make sure you set either the --id or --name flag.
  • --version-id (optional): Version of the KMS key to be used for encryption. The primary version is used by default.
  • --plaintext-file: Input file with plaintext.
  • --aad-context-file (optional): Input file with AAD context.
  • --ciphertext-file: Output file with ciphertext.
$ yc kms symmetric-crypto encrypt \
  --id abj76v82ficsmn446ri7 \
  --plaintext-file plaintext-file \
  --ciphertext-file ciphertext-file

Use the encrypt method for the SymmetricCrypto resource.

For information about how to encrypt and decrypt data using the Yandex.Cloud SDK, see Encrypting data using the Yandex.Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

Decrypt data

CLI
API
Yandex.Cloud SDK
AWS Encryption SDK
Google Tink

The command decrypts the ciphertext passed in the --ciphertext-file and writes the resulting plaintext to the --plaintext-file:

  • id: ID of the KMS key, make sure you set either the --id or --name flag.
  • --name: Name of the KMS key, make sure you set either the --id or --name flag.
  • --ciphertext-file: Input file with plaintext.
  • --aad-context-file (optional): Input file with AAD context.
  • --plaintext-file: Output file with ciphertext.
$ yc kms symmetric-crypto decrypt \
  --id abj76v82ficsmn446ri7 \
  --ciphertext-file ciphertext-file \
  --plaintext-file decrypted-file

Use the decrypt method for the SymmetricCrypto resource.

For information about how to encrypt and decrypt data using the Yandex.Cloud SDK, see Encrypting data using the Yandex.Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

See also

  • YC CLI.
  • Encryption in Key Management Service.
  • Managing keys in KMS.
In this article:
  • Before you start
  • Encrypt data
  • Decrypt data
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC