Key management
You can use Key Management Service to create, rotate, and destroy symmetric encryption keys.
Create a key
To create a key:
- Log in to the management console.
- Select Key Management Service.
- Click Create and set the key attributes:
- Any name and optional description.
- Encryption algorithm, such as AES-256.
- Rotation period (how often to change key versions).
- Click Create.
The key is created along with its first version: click the key in the list to open the page with its attributes.
Run the command with the following parameters:
name
: Key name.default-algorithm
: Encryption algorithm (aes-128
,aes-192
, oraes-256
).rotation-period
: Key rotation period. To create a key without automatic rotation, don't specify therotation-period
parameter.
yc kms symmetric-key create \
--name example-key \
--default-algorithm aes-256 \
--rotation-period 24h
The key is created along with its first version. It's specified in the primary_version
field.
Use the create method for the SymmetricKey
resource.
Edit a key
After creating a key, you can change any of its attributes. If you change the encryption algorithm, the new algorithm is used starting with the next key version. To immediately create a new version and make it the default version, rotate the key.
To edit a key:
- Log in to the management console.
- Select Key Management Service.
- In the row with the key in question, click and select Update from the drop-down list.
- Change the key attributes and click Save.
Run the command with the following parameters:
name
: Key name. If there are multiple keys with the same name in the folder, use the key ID.new-name
: New key name.default-algorithm
: Encryption algorithm (aes-128
,aes-192
, oraes-256
).rotation-period
: Key rotation period. To disable automatic rotation for an updated key, don't specify therotation-period
parameter.
yc kms symmetric-key update \
--name example-key \
--new-name example-key-2 \
--default-algorithm aes-128 \
--rotation-period 48h
Use the update method for the SymmetricKey
resource.
Rotate a key
When a key is rotated, a new version is generated and immediately set as the default version. You can set up automatic rotation, but you can also rotate a key manually at any time.
To rotate a key:
- Log in to the management console.
- Select Key Management Service.
- In the row with the key in question, click and select Rotate from the drop-down list.
- Confirm the rotation (make sure that changing the default version will not affect your work).
Run the command with the key ID or name specified:
yc kms symmetric-key rotate example-key
Use the rotate method for the SymmetricKey
resource.
Destroy a key
By destroying a key you also destroy all its versions. You cannot delete a key directly: the versions of a key marked for deletion change their status to Scheduled For Destruction
for 3 days. During this time, your account will continue to be charged for these key versions. Before the 3 days expire, you can request technical support to restore a key and its versions.
Alert
3 days after the key is requested to be destroyed, the key and its versions are permanently destroyed: if you still have any data encrypted with this key, you can't decrypt the data.
To destroy a key:
- Log in to the management console.
- Select Key Management Service.
- In the row with the key you need, click and select Delete from the drop-down list.
- Confirm the deletion.
Run the command with the key ID or name specified:
yc kms symmetric-key delete example-key
Use the delete method for the SymmetricKey
resource.