Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Key
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Key
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Hardware Security Module (HSM)
    • Quotas and limits
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the CLI and API Yandex Cloud
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. API reference
  2. REST
  3. SymmetricKey
  4. get

Method get

Written by
Yandex Cloud
  • HTTP request
  • Path parameters
  • Response

Returns the specified symmetric KMS key.

To get the list of available symmetric KMS keys, make a list request.

HTTP request

GET https://kms.api.cloud.yandex.net/kms/v1/keys/{keyId}

Path parameters

Parameter Description
keyId

Required. ID of the symmetric KMS key to return. To get the ID of a symmetric KMS key use a list request.

The maximum string length in characters is 50.

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "folderId": "string",
  "createdAt": "string",
  "name": "string",
  "description": "string",
  "labels": "object",
  "status": "string",
  "primaryVersion": {
    "id": "string",
    "keyId": "string",
    "status": "string",
    "algorithm": "string",
    "createdAt": "string",
    "primary": true,
    "destroyAt": "string",
    "hostedByHsm": true
  },
  "defaultAlgorithm": "string",
  "rotatedAt": "string",
  "rotationPeriod": "string",
  "deletionProtection": true
}

A symmetric KMS key that may contain several versions of the cryptographic material.

Field Description
id string

ID of the key.

folderId string

ID of the folder that the key belongs to.

createdAt string (date-time)

Time when the key was created.

String in RFC3339 text format.

name string

Name of the key.

description string

Description of the key.

labels object

Custom labels for the key as key:value pairs. Maximum 64 per key.

status string

Current status of the key.

  • CREATING: The key is being created.
  • ACTIVE: The key is active and can be used for encryption and decryption. Can be set to INACTIVE using the update method.
  • INACTIVE: The key is inactive and unusable. Can be set to ACTIVE using the update method.
primaryVersion object

Primary version of the key, used as the default for all encrypt/decrypt operations, when no version ID is specified.

Symmetric KMS key version: metadata about actual cryptographic data.

primaryVersion.
id
string

ID of the key version.

primaryVersion.
keyId
string

ID of the symmetric KMS key that the version belongs to.

primaryVersion.
status
string

Status of the key version.

Possible version status.

  • ACTIVE: The version is active and can be used for encryption and decryption.
  • SCHEDULED_FOR_DESTRUCTION: The version is scheduled for destruction, the time when it will be destroyed is specified in the destroyAt field.
  • DESTROYED: The version is destroyed and cannot be recovered.
primaryVersion.
algorithm
string

Encryption algorithm that should be used when using the key version to encrypt plaintext.

Supported symmetric encryption algorithms.

  • AES_128: AES algorithm with 128-bit keys.
  • AES_192: AES algorithm with 192-bit keys.
  • AES_256: AES algorithm with 256-bit keys.
  • AES_256_HSM: AES algorithm with 256-bit keys hosted by HSM
primaryVersion.
createdAt
string (date-time)

Time when the key version was created.

String in RFC3339 text format.

primaryVersion.
primary
boolean (boolean)

Indication of a primary version, that is to be used by default for all cryptographic operations that don't have a key version explicitly specified.

primaryVersion.
destroyAt
string (date-time)

Time when the key version is going to be destroyed. Empty unless the status is SCHEDULED_FOR_DESTRUCTION.

String in RFC3339 text format.

primaryVersion.
hostedByHsm
boolean (boolean)

Indication of the version that is hosted by HSM.

defaultAlgorithm string

Default encryption algorithm to be used with new versions of the key.

Supported symmetric encryption algorithms.

  • AES_128: AES algorithm with 128-bit keys.
  • AES_192: AES algorithm with 192-bit keys.
  • AES_256: AES algorithm with 256-bit keys.
  • AES_256_HSM: AES algorithm with 256-bit keys hosted by HSM
rotatedAt string (date-time)

Time of the last key rotation (time when the last version was created). Empty if the key does not have versions yet.

String in RFC3339 text format.

rotationPeriod string

Time period between automatic key rotations.

deletionProtection boolean (boolean)

Flag that inhibits deletion of the key

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • HTTP request
  • Path parameters
  • Response