Get started
Yandex Key Management Service

Key management

Written by

You can use Key Management Service to create, rotate, and destroy symmetric encryption keys.

Create a key

To create a key:

  1. Log in to management console.
  2. Select Key Management Service.
  3. In the Keys tab, click Create and set the key attributes:
    • Any name and optional description.
    • Encryption algorithm, such as AES-256.
    • Rotation period (how often to change key versions).
    • Click Create.

The key is created along with its first version: click the key in the list to open the page with its attributes.

Run the command with the following parameters:

  • name: Key name.
  • default-algorithm: Encryption algorithm (aes-128, aes-192, or aes-256).
  • rotation-period: Key rotation period. To create a key without automatic rotation, don't specify the rotation-period parameter.
$ yc kms symmetric-key create \
  --name example-key \
  --default-algorithm aes-256 \
  --rotation-period 24h

The key is created along with its first version. It's specified in the primary_version field.

Use the create method for the SymmetricKey resource.

Change a key

After creating a key, you can change any of its attributes. If you change the encryption algorithm, the new algorithm is used starting with the next key version. To immediately create a new version and make it the default version, rotate the key.

To edit a key:

  1. Log in to management console.
  2. Select Key Management Service.
  3. In the Keys tab, click the key in the list to open the page with its attributes and click Edit.
  4. Change the key attributes and click Save.

Run the command with the following parameters:

  • name: Key name. If there are multiple keys with the same name in the folder, use the key ID.
  • new-name: New key name.
  • default-algorithm: Encryption algorithm (aes-128, aes-192, or aes-256).
  • rotation-period: Key rotation period. To disable automatic rotation for an updated key, don't specify the rotation-period parameter.
$ yc kms symmetric-key update \
  --name example-key \
  --new-name example-key-2 \
  --default-algorithm aes-128 \
  --rotation-period 48h

Use the update method for the SymmetricKey resource.

Rotate a key

When a key is rotated, a new version is generated and immediately set as the default version. You can set up automatic rotation, but you can also rotate a key manually at any time.

To rotate a key:

  1. Log in to management console.
  2. Select Key Management Service.
  3. In the Keys tab, click the key in the list to open the page with its attributes.
  4. Click Rotate and confirm the rotation (make sure that changing the default version doesn't affect your work).

Run the command with the key ID or name specified:

$ yc kms symmetric-key rotate example-key

Use the rotate method for the SymmetricKey resource.

Destroy a key

By destroying a key you also destroy all its versions. You can't destroy a key immediately: the key marked for destruction can be restored with its versions within 3 days by sending a request to technical support.

Alert

3 days after the key is requested to be destroyed, the key and its versions are permanently destroyed: if you still have any data encrypted with this key, you can't decrypt the data.

To destroy a key:

  1. Log in to management console.
  2. Select Key Management Service.
  3. In the Keys tab, click the key in the list to open the page with its attributes.
  4. Click Delete and confirm the destruction.

Run the command with the key ID or name specified:

$ yc kms symmetric-key delete example-key

Use the delete method for the SymmetricKey resource.

In this article: