Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Key
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Key
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Hardware Security Module (HSM)
    • Quotas and limits
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the CLI and API Yandex Cloud
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. Step-by-step instructions
  2. Data encryption

Data encryption

Written by
Yandex Cloud
  • Before you begin
  • Encrypt data
  • Decrypt data

In this section, you will learn how to use KMS to encrypt and decrypt small-sized data (of up to 32 KB) using the CLI and API. For more information about available encryption methods, see Which encryption method should I choose?

Before you begin

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

Encrypt data

CLI
API
Terraform
SDK Yandex Cloud
AWS Encryption SDK
Google Tink

The command encrypts the plaintext passed in the --plaintext-file and writes the resulting ciphertext to the --ciphertext-file.

  • --id: ID of the KMS key, make sure you set either the --id or --name flag.
  • --name: Name of the KMS key, make sure you set either the --id or --name flag.
  • --version-id (optional): Version of the KMS key to be used for encryption. The primary version is used by default.
  • --plaintext-file: Input file with plaintext.
  • --aad-context-file (optional): Input file with AAD context.
  • --ciphertext-file: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
  --id abj76v82ficsmn446ri7 \
  --plaintext-file plaintext-file \
  --ciphertext-file ciphertext-file

Use the encrypt method for the SymmetricCrypto resource.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it by configuration files. They store the infrastructure description in HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Mozilla Public License.

For more information about the provider resources, see the documentation on the Terraform site or mirror site.

If you change the configuration files, Terraform automatically determines which part of your configuration is already deployed and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To encrypt data:

  1. In the configuration file, describe the parameters of the yandex_kms_secret_ciphertext resource and specify the KMS key in the key_id field:

    resource "yandex_kms_secret_ciphertext" "password" {
      key_id      = "<key ID>"
      aad_context = "additional authenticated data"
      plaintext   = "strong password"
    }
    

    Where:

    • key_id: KMS key ID.
    • aad_context: (AAD context).
    • plaintext: String to be encrypted.

    Warning

    yandex_kms_secret_ciphertext enables you to hide secrets when deploying an infrastructure. However, in general, it's not safe to openly specify the plaintext and aad_context in the configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

    For more information about resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using the command:

    terraform validate
    

    If the configuration is correct, the following message is returned:

    Success! The configuration is valid.
    
  3. Run the command:

    terraform plan
    

    The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contain errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    The ciphertext can then be accessed via the ciphertext variable, and the encrypted data via the plaintext variable.

    To check, you can add the following code with the decrypted_pass output variable to a configuration file.

    Alert

    This is not safe and can only be used for testing.

    output "decrypted_pass" {
      sensitive = true
      value     = yandex_kms_secret_ciphertext.password.plaintext
    }
    

    After updating the configuration, you can check the encrypted data using the command:

    terraform output decrypted_pass
    

    Result:

    "strong password"
    

For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

Decrypt data

CLI
API
SDK Yandex Cloud
AWS Encryption SDK
Google Tink

The command decrypts the ciphertext passed in the --ciphertext-file and writes the resulting plaintext to the --plaintext-file:

  • --id: ID of the KMS key, make sure you set either the --id or --name flag.
  • --name: Name of the KMS key, make sure you set either the --id or --name flag.
  • --ciphertext-file: Input file with plaintext.
  • --aad-context-file (optional): Input file with AAD context.
  • --plaintext-file: Output file with ciphertext.
yc kms symmetric-crypto decrypt \
  --id abj76v82ficsmn446ri7 \
  --ciphertext-file ciphertext-file \
  --plaintext-file decrypted-file

Use the decrypt method for the SymmetricCrypto resource.

For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

See also

  • Command line interface (YC CLI).
  • Encryption in Key Management Service.
  • Managing keys in KMS.
  • Encrypting secrets in Hashicorp Terraform.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Before you begin
  • Encrypt data
  • Decrypt data