Secrets in Yandex Lockbox
Secret
A secret is a set of versions that store your data, such as API keys, passwords, or tokens. A version contains sets of keys and values. A key is a non-secret name that identifies a value. The value is your secret data.
You can set up access to secrets using Yandex Identity and Access Management. The roles available for different use cases are described in the Access management in Yandex Lockbox section.
Version
Yandex Lockbox stores secrets as versions. Each version contains metadata and one or more key-value pairs, which allows you to track changes and manage a secret's lifecycle.
Once created, a version cannot be changed. If you need to change key-value pairs, you will need to create a new version. Apart from creating a new version of a secret, you can create a version based on an existing one with new values.
Only one version of a secret can be valid at a time. You can manage a valid version of a secret by adding new versions or rolling back to previous ones.
You can set up access to versions of a secret in addition to access to the secret itself. This requires you to assign the lockbox.admin
or lockbox.payloadViewer
role. For more information about managing access, see Yandex Lockbox access management: What roles I need.
Secret encryption using Yandex Key Management Service
With Yandex Key Management Service, you can create and manage encryption keys that are used to secure secrets in Yandex Lockbox.
By default, all secrets are encrypted with a common key. However, when creating a secret, you can specify your own Yandex Key Management Service key for encrypting the secret. Using your own key has the following benefits:
- It mitigates the risk of the common key being compromised.
- You can rotate your key on your own and manage its versions.
- You can delete your key, if needed, to block access to your encrypted data.
- You can get audit logs of events connected to encryption key usage. To do this, use Yandex Audit Trails.
If you specified your KMS key when creating a secret, assign the kms.keys.encrypterDecrypter and lockbox.payloadViewer roles to your secret. They are required to access the key, as well as encrypt and decrypt it.
Warning
Using a Yandex Key Management Service key each time you access the secret it is encrypted with is charged as a single cryptographic operation. To learn more about the cost of cryptographic operations with keys, see the Yandex Key Management Service pricing policy.