Get started
Yandex Key Management Service

Encrypting data using the Yandex Cloud SDK

Written by

You can use Key Management Service with the Yandex Cloud SDK. The SDK is available for Java, Go, Python, and Node.js.

The Yandex Cloud SDK is most convenient for encrypting small amounts of data (the limit on the size of plaintext is 32 KB). To encrypt larger amounts of data, we recommend using the AWS Encryption SDK or Google Tink. They encrypt data using envelope encryption.

Adding dependencies

Before you start, you need to add dependencies.

Add dependencies using Apache Maven:

<dependency>
    <groupId>com.yandex.cloud</groupId>
    <artifactId>java-sdk-services</artifactId>
    <version>2.4.2</version>
</dependency>

Install the SDK:

go get github.com/yandex-cloud/go-sdk

Authentication

You can authenticate using:

Authentication using the service account linked to the Yandex Cloud VM

Authenticate using the service account linked to the VM:

CredentialProvider credentialProvider = Auth.computeEngineBuilder().build();

Authenticate using the service account linked to the VM:

credentials := ycsdk.InstanceServiceAccount()

Authentication using any service account

The key.json file must contain an authorized key for the service account. For information about how to create authorized keys, see Creating authorized keys.

Authenticate using any service account:

CredentialProvider credentialProvider = Auth.apiKeyBuilder().fromFile(Paths.get("key.json")).build();

Authenticate using any service account:

authorizedKey, err := iamkey.ReadFromJSONFile("key.json")
if err != nil {...}
credentials, err := ycsdk.ServiceAccountKey(authorizedKey)
if err != nil {...}

Authentication using a Yandex account

The token variable is your OAuth token.

Authenticate using a Yandex account:

CredentialProvider credentialProvider = Auth.oauthTokenBuilder().build();

Authenticate using a Yandex account:

credentials := ycsdk.OAuthToken(token)

Encrypting and decrypting data

Use the encrypt and decrypt methods to encrypt and decrypt data. The code uses the following variables:

  • endpointapi.cloud.yandex.net:443.
  • keyId: ID of the KMS key.
  • plaintext: Unencrypted text (no more than 32 KB).
  • ciphertext: Encrypted text.
  • aad: AAD context.
SymmetricCryptoServiceBlockingStub symmetricCryptoService = ServiceFactory.builder()
    .endpoint(endpoint)
    .credentialProvider(credentialProvider)
    .build()
    .create(
        SymmetricCryptoServiceBlockingStub.class,
        SymmetricCryptoServiceGrpc::newBlockingStub
    );

...

byte[] ciphertext = symmetricCryptoService.encrypt(SymmetricEncryptRequest.newBuilder()
    .setKeyId(keyId)
    .setPlaintext(ByteString.copyFrom(plaintext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getCiphertext().toByteArray();

...

byte[] plaintext = symmetricCryptoService.decrypt(SymmetricDecryptRequest.newBuilder()
    .setKeyId(keyId)
    .setCiphertext(ByteString.copyFrom(ciphertext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getPlaintext().toByteArray();


sdk, err := ycsdk.Build(context, ycsdk.Config{
  Endpoint:    endpoint,
  Credentials: credentials,
})
if err != nil {...}

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Encrypt(context, &kms.SymmetricEncryptRequest{
  KeyId:      keyId,
  Plaintext:  plaintext,
  AadContext: aad,
})
if err != nil {...}
ciphertext := response.Ciphertext

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Decrypt(context, &kms.SymmetricDecryptRequest{
  KeyId:      keyId,
  Ciphertext: ciphertext,
  AadContext: aad,
})
if err != nil {...}
plaintext := response.Plaintext

See also

In this article: