Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Intertech Services AG
Yandex Key Management Service
  • Getting started
  • Step-by-step guides
    • All guides
    • Key
    • Key version
    • Data encryption
    • Encryption key access rights
  • Concepts
  • Tutorials
  • Access management
  • Pricing policy
  • API reference
  • Questions and answers
  1. Step-by-step guides
  2. Key version

Key version control

Written by
Yandex Cloud
  • Make a version primary
  • Destroy a key version
  • Cancel version destruction

You can make key versions primary (a primary key version is used for encryption and decryption by default) and destroy them. To create a new key version, rotate the key.

Make a version primary

To make a version primary:

Management console
CLI
  1. Log in to the management console.
  2. Select Key Management Service.
  3. Click the desired key in the list to open its attribute page.
  4. Click the icon in the row next to the desired version and select Make primary from the menu.
  1. Get a list of versions for the desired key:

    yc kms symmetric-key list-versions example-key
    

    Result:

    +----------------------+---------+--------+-----------+
    |          ID          | PRIMARY | STATUS | ALGORITHM |
    +----------------------+---------+--------+-----------+
    | abjhduu82ao0r0tkjlp2 | true    | ACTIVE | AES_128   |
    | abj8cvn99nam26f0f4a3 | false   | ACTIVE | AES_128   |
    | abjed9ciau8eatb0pg93 | false   | ACTIVE | AES_256   |
    | abjvejjvfktqc4hsqpss | false   | ACTIVE | AES_128   |
    +----------------------+---------+--------+-----------+
    
  2. Change the key version by specifying the ID of the desired version:

    yc kms symmetric-key set-primary-version example-key-1 \
      --version-id abj8cvn99nam26f0f4a3
    

The next encryption or decryption request omitting the key version will use the new primary version.

Destroy a key version

You can't destroy a version immediately: you can only schedule its destruction (for the next day at least).

Alert

At the scheduled time and date, the key version is permanently destroyed: if you still have data encrypted with this key version, you can no longer decrypt it.

Management console
CLI

To destroy a version:

  1. Log in to the management console.
  2. Select Key Management Service.
  3. Click the desired key in the list to open its attribute page.
  4. Click the icon in the row next to the desired version and select Schedule destruction from the menu.

The version will change its status to Scheduled for destruction, and the Destruction date column will show the date destruction is scheduled for.

To destroy a version:

  1. Get a list of versions for the desired key:

    yc kms symmetric-key list-versions example-key
    

    Result:

    +----------------------+---------+--------+-----------+
    |          ID          | PRIMARY | STATUS | ALGORITHM |
    +----------------------+---------+--------+-----------+
    | abj8cvn99nam26f0f4a3 | true    | ACTIVE | AES_128   |
    | abjed9ciau8eatb0pg93 | false   | ACTIVE | AES_256   |
    | abjhduu82ao0r0tkjlp2 | false   | ACTIVE | AES_128   |
    | abjvejjvfktqc4hsqpss | false   | ACTIVE | AES_128   |
    +----------------------+---------+--------+-----------+
    
  2. Schedule the destruction of a version:

    yc kms symmetric-key schedule-version-destruction example-key \
      --version-id abjed9ciau8eatb0pg93
    

    The status of the version switches to SCHEDULED_FOR_DESTRUCTION and the destroy_at field shows the time when destruction is scheduled for.

Cancel version destruction

If you scheduled the destruction of a key version, you can cancel it before the scheduled date:

Management console
CLI
  1. Log in to the management console.
  2. Select Key Management Service.
  3. Click the desired key in the list to open its attribute page.
  4. Click the icon in the row next to the desired version and select Cancel destruction from the menu.

The version reverts to the ACTIVE status.

  1. Get a list of versions for the desired key:

    yc kms symmetric-key list-versions example-key
    

    Result:

    +----------------------+---------+---------------------------+-----------+
    |          ID          | PRIMARY |          STATUS           | ALGORITHM |
    +----------------------+---------+---------------------------+-----------+
    | abj8cvn99nam26f0f4a3 | true    | ACTIVE                    | AES_128   |
    | abjed9ciau8eatb0pg93 | false   | SCHEDULED_FOR_DESTRUCTION | AES_256   |
    | abjhduu82ao0r0tkjlp2 | false   | ACTIVE                    | AES_128   |
    | abjvejjvfktqc4hsqpss | false   | ACTIVE                    | AES_128   |
    +----------------------+---------+---------------------------+-----------+
    
  2. Cancel the destruction of a version:

    yc kms symmetric-key cancel-version-destruction example-key \
      --version-id abjed9ciau8eatb0pg93
    

    The version reverts to the ACTIVE status.

Was the article helpful?

Language / Region
Yandex project
© 2023 Intertech Services AG
In this article:
  • Make a version primary
  • Destroy a key version
  • Cancel version destruction