Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Key
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Key
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Hardware Security Module (HSM)
    • Quotas and limits
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the CLI and API Yandex Cloud
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. Step-by-step instructions
  2. Key

Key management

Written by
Yandex Cloud
  • Create a key
  • Edit a key
  • Rotate a key
  • Destroy a key

You can use Key Management Service to create, rotate, and destroy symmetric encryption keys.

Create a key

To create a key:

Management console
CLI
API
  1. Log in to the management console.
  2. Select Key Management Service.
  3. Click Create and set the key attributes:
    • Any name and optional description.
    • Encryption algorithm, such as AES-256.
    • Rotation period (how often to change key versions).
    • Click Create.

The key is created along with its first version: click the key in the list to open the page with its attributes.

Run the command with the following parameters:

  • name: Key name.
  • default-algorithm: Encryption algorithm (aes-128, aes-192, or aes-256).
  • rotation-period: Key rotation period. To create a key without automatic rotation, don't specify the rotation-period parameter.
yc kms symmetric-key create \
  --name example-key \
  --default-algorithm aes-256 \
  --rotation-period 24h

The key is created along with its first version. It's specified in the primary_version field.

Use the create method for the SymmetricKey resource.

Edit a key

After creating a key, you can change any of its attributes. If you change the encryption algorithm, the new algorithm is used starting with the next key version. To immediately create a new version and make it the default version, rotate the key.

To edit a key:

Management console
CLI
API
  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the row with the key in question, click and select Update from the drop-down list.
  4. Change the key attributes and click Save.

Run the command with the following parameters:

  • name: Key name. If there are multiple keys with the same name in the folder, use the key ID.
  • new-name: New key name.
  • default-algorithm: Encryption algorithm (aes-128, aes-192, or aes-256).
  • rotation-period: Key rotation period. To disable automatic rotation for an updated key, don't specify the rotation-period parameter.
yc kms symmetric-key update \
  --name example-key \
  --new-name example-key-2 \
  --default-algorithm aes-128 \
  --rotation-period 48h

Use the update method for the SymmetricKey resource.

Rotate a key

When a key is rotated, a new version is generated and immediately set as the default version. You can set up automatic rotation, but you can also rotate a key manually at any time.

To rotate a key:

Management console
CLI
API
  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the row with the key in question, click and select Rotate from the drop-down list.
  4. Confirm the rotation (make sure that changing the default version will not affect your work).

Run the command with the key ID or name specified:

yc kms symmetric-key rotate example-key

Use the rotate method for the SymmetricKey resource.

Destroy a key

By destroying a key you also destroy all its versions. You cannot delete a key directly: the versions of a key marked for deletion change their status to Scheduled For Destruction for 3 days. During this time, your account will continue to be charged for these key versions. Before the 3 days expire, you can request technical support to restore a key and its versions.

Alert

3 days after the key is requested to be destroyed, the key and its versions are permanently destroyed: if you still have any data encrypted with this key, you can't decrypt the data.

To destroy a key:

Management console
CLI
API
  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the row with the key you need, click and select Delete from the drop-down list.
  4. Confirm the deletion.

Run the command with the key ID or name specified:

yc kms symmetric-key delete example-key

Use the delete method for the SymmetricKey resource.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Create a key
  • Edit a key
  • Rotate a key
  • Destroy a key