Yandex Key Management Service

A service for managing cryptographic keys. Use keys to protect the secrets, personal data, and sensitive information you store in the cloud.

Key management
Create and delete keys, set up access policies, and perform rotation via the management console, CLI, or API.
Data encryption
Yandex KMS supports the REST and gRPC APIs for encrypting and decrypting small chunks of data, like secrets and local encryption keys.
Access control and security
You manage access to encrypted data, and Yandex KMS ensures the reliability and physical security of keys.
SDK integration
To encrypt small amounts of data, use the SDK in Java or Go. To encrypt large amounts of data, the service is integrated with popular encryption libraries, including the AWS Encryption SDK and Google Tink.
Audit key actions
Verify access to encrypted data via key logs. Yandex KMS registers all API requests, including actions for managing keys and using keys to encrypt and decrypt data.
Integration with other services
Protect your secrets and data using encryption keys in Managed Service for Kubernetes.

Getting started

Encrypt your secrets with Yandex Managed Service for Kubernetes using a KMS key. To do this, create a KMS key and use it when creating a Kubernetes cluster.

Create a key

Questions and answers

What is a cryptographic key?

A key is a set of versions, each of which defines an algorithm and cryptographic material for data encryption or decryption operations. The key is created along with its first version, which becomes the primary one. It’s used by default in key operations unless you specify a different version in the input parameters.

A key is a set of versions, each of which defines an algorithm and cryptographic material for data encryption or decryption operations. The key is created along with its first version, which becomes the primary one. It’s used by default in key operations unless you specify a different version in the input parameters.

What encryption scheme is used in Key Management Service?

Symmetric encryption. It uses the same (symmetric) key for both data encryption and decryption. KMS supports the AES with 128, 192, or 256-bit keys in GCM mode.

Symmetric encryption. It uses the same (symmetric) key for both data encryption and decryption. KMS supports the AES with 128, 192, or 256-bit keys in GCM mode.

How much data can I encrypt?

On the service side, you can encrypt up to 32 KB of data. Larger data can be encrypted using envelope encryption on the client side.

On the service side, you can encrypt up to 32 KB of data. Larger data can be encrypted using envelope encryption on the client side.

Get started with Key Management Service