Get started
Yandex Key Management Service

Getting started with Key Management Service

In this guide, you create your first key and encrypt and decrypt text using KMS.

Before you start

To start working with Key Management Service:

  1. Log in to management console. If you aren't registered, go to the management console and follow the instructions.
  2. On the billing page make sure that you enabled a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.
  3. Make sure that you have the owner or editor role for the cloud.
  4. If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

Create a symmetric encryption key

Create a symmetric encryption key:

  1. In the management console, select the folder where you want to create a key.
  2. Select Key Management Service.
  3. In the Keys tab, click Create and set the key parameters:
    • In the Name field, enter my-first-key.
    • In the Encryption algorithm field, specify AES-256.
    • In the Rotation period, days field, leave the the value No rotation.
    • Click Create.
  4. Click the line with the key name and make sure the Versions section contains the first key version.

Encrypt text using the key

Come up with a secret text, for example The launch is scheduled for Marchember 42.. The text size must not exceed 32 KB. To encrypt large volumes of data, use envelope encryption.

Encrypt the text:

  1. Save the secret text to the plaintext.txt file.

  2. Copy the ID of the previously created key from the management console.

    1. In the management console, go to the folder where the key was created.
    2. Select Key Management Service.
    3. In the window that opens, copy the key from the ID field.

  3. Encrypt the text:

    yc kms symmetric-crypto encrypt \
 --id <key ID> \
 --plaintext-file plaintext.txt \
 --ciphertext-file ciphertext

The result is a binary file named ciphertext containing ciphertext.

Decrypt the text

Decrypt the ciphertext binary file from the previous step.

Decrypt the text:

yc kms symmetric-crypto decrypt \
--id <key ID> \
--ciphertext-file ciphertext \
--plaintext-file decrypted.txt

As a result, the ciphertext file is decrypted and the following decrypted text is written to the decrypted.txt file: The launch is scheduled for Marchember 42..

See also

In this article: