Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Intertech Services AG
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
  • Concepts
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the CLI and API Yandex Cloud
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
  • Questions and answers
  1. Practical guidelines
  2. Data encryption
  3. Encrypting data using the Yandex Cloud SDK

Encrypting data using the Yandex Cloud SDK

Written by
Yandex Cloud
  • Adding dependencies
  • Authentication
    • Authentication using the service account linked to the Yandex Cloud VM
    • Authentication using any service account
    • Authentication using a Yandex account
  • Encrypting and decrypting data

You can use Key Management Service with the Yandex Cloud SDK. The SDK is available for Java, Go, Python, and Node.js.

The Yandex Cloud SDK is most convenient for encrypting small amounts of data (the limit on the size of plaintext is 32 KB). To encrypt larger amounts of data, we recommend using the AWS Encryption SDK or Google Tink. They encrypt data using envelope encryption.

Adding dependencies

Before you start, you need to add dependencies.

Java
Go

Add dependencies using Apache Maven:

<dependency>
    <groupId>com.yandex.cloud</groupId>
    <artifactId>java-sdk-services</artifactId>
    <version>2.4.2</version>
</dependency>

Install the SDK:

go get github.com/yandex-cloud/go-sdk

Authentication

You can authenticate using:

  • The service account linked to the Yandex Cloud VM.
  • Any service account.
  • A Yandex account.

Authentication using the service account linked to the Yandex Cloud VM

Java
Go

Authenticate using the service account linked to the VM:

CredentialProvider credentialProvider = Auth.computeEngineBuilder().build();

Authenticate using the service account linked to the VM:

credentials := ycsdk.InstanceServiceAccount()

Authentication using any service account

The key.json file must contain an authorized key for the service account. For information about how to create authorized keys, see Creating authorized keys.

Java
Go

Authenticate using any service account:

CredentialProvider credentialProvider = Auth.apiKeyBuilder().fromFile(Paths.get("key.json")).build();

Authenticate using any service account:

authorizedKey, err := iamkey.ReadFromJSONFile("key.json")
if err != nil {...}
credentials, err := ycsdk.ServiceAccountKey(authorizedKey)
if err != nil {...}

Authentication using a Yandex account

The token variable is your OAuth token.

Java
Go

Authenticate using a Yandex account:

CredentialProvider credentialProvider = Auth.oauthTokenBuilder().build();  

Authenticate using a Yandex account:

credentials := ycsdk.OAuthToken(token)

Encrypting and decrypting data

Use the encrypt and decrypt methods to encrypt and decrypt data. The code uses the following variables:

  • endpoint – api.cloud.yandex.net:443.
  • keyId: ID of the KMS key.
  • plaintext: Unencrypted text (no more than 32 KB).
  • ciphertext: Encrypted text.
  • aad: AAD context.
Java
Go
SymmetricCryptoServiceBlockingStub symmetricCryptoService = ServiceFactory.builder()
    .endpoint(endpoint)
    .credentialProvider(credentialProvider)
    .build()
    .create(
        SymmetricCryptoServiceBlockingStub.class,
        SymmetricCryptoServiceGrpc::newBlockingStub
    );

...

byte[] ciphertext = symmetricCryptoService.encrypt(SymmetricEncryptRequest.newBuilder()
    .setKeyId(keyId)
    .setPlaintext(ByteString.copyFrom(plaintext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getCiphertext().toByteArray();

...

byte[] plaintext = symmetricCryptoService.decrypt(SymmetricDecryptRequest.newBuilder()
    .setKeyId(keyId)
    .setCiphertext(ByteString.copyFrom(ciphertext))
    .setAadContext(ByteString.copyFrom(aad))
    .build()
).getPlaintext().toByteArray();

sdk, err := ycsdk.Build(context, ycsdk.Config{
  Endpoint:    endpoint,
  Credentials: credentials,
})
if err != nil {...}

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Encrypt(context, &kms.SymmetricEncryptRequest{
  KeyId:      keyId,
  Plaintext:  plaintext,
  AadContext: aad,
})
if err != nil {...}
ciphertext := response.Ciphertext

...

response, err := sdk.KMSCrypto().SymmetricCrypto().Decrypt(context, &kms.SymmetricDecryptRequest{
  KeyId:      keyId,
  Ciphertext: ciphertext,
  AadContext: aad,
})
if err != nil {...}
plaintext := response.Plaintext

See also

  • Yandex Cloud Java SDK.
    • Examples of how to use KMS with the Java SDK.
  • Yandex Cloud Go SDK.

Was the article helpful?

Language / Region
Yandex project
© 2023 Intertech Services AG
In this article:
  • Adding dependencies
  • Authentication
  • Authentication using the service account linked to the Yandex Cloud VM
  • Authentication using any service account
  • Authentication using a Yandex account
  • Encrypting and decrypting data