Key Management Service is a service for creating and managing encryption keys in Yandex.Cloud.
Modern encryption algorithms are public. Without access to keys, the knowledge of the ciphertext and encryption algorithm is not enough to decrypt data. Secure data storage thus means secure storage of encryption keys.
There are various types of encrypted data: from passwords, OAuth tokens, and SSH keys, to data arrays that are several GB in size. This may require different types of access (random or sequential) and different types of storage. The optimal encryption algorithms are selected depending on all these factors. With a large amount of data, it's important to both control access to this data consistently and consider the specifics of each type.
Key Management Service meets the above objectives and provides secure and centralized storage for encryption keys.
Interfaces for using the service
To interact with KMS, you can use:
- Management console.
- Command line interface (CLI).
- SDK: in Java, Go, Python, or Node.js.
- API: REST or gRPC.
A key is the main KMS resource, which is a set of versions of cryptographic material that can be used to encrypt or decrypt data. Control the lifecycle of crypto material by managing keys:
Key integration with services and tools
You can use KMS keys:
- In Yandex.Cloud services:
- When working with Terraform.
- In cryptographic libraries:
Secure key storage
The cryptographic key material is stored in encrypted form and isn't available as plaintext outside KMS. When using the service API, you can encrypt or decrypt the transmitted data with a specific key, but you can't explicitly get the crypto material. It's only restored to the RAM and just for the duration of operations with the corresponding key.
All access control features provided by Identity and Access Management are available for keys. For more information about managing access and assigning roles, see Access management
Key usage audit
You can't read the ciphertext without access to the appropriate key. All key operations are written to audit logs. So, in addition to encryption, an important advantage of using KMS is the verification of access to encrypted data via key logs.
Each entry in the audit log contains the following information:
- Date and time.
- Type of operation.
- The key used.
- Subject (a Yandex.Cloud account or service account).
To get the audit logs, contact technical support.