Key version control
You can make key versions primary (a primary key version is used for encryption and decryption by default) and destroy them. To create a new key version, rotate the key.
Make a version primary
To make a version primary:
- Log in to the management console.
- Select Key Management Service.
- Click the desired key in the list to open its attribute page.
- Click the
-
Get a list of versions for the desired key:
yc kms symmetric-key list-versions example-key
Result:
+----------------------+---------+--------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+--------+-----------+ | abjhduu82ao0r0tkjlp2 | true | ACTIVE | AES_128 | | abj8cvn99nam26f0f4a3 | false | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | ACTIVE | AES_256 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+--------+-----------+
-
Change the key version by specifying the ID of the desired version:
yc kms symmetric-key set-primary-version example-key-1 \ --version-id abj8cvn99nam26f0f4a3
The next encryption or decryption request omitting the key version will use the new primary version.
Destroy a key version
You can't destroy a version immediately: you can only schedule its destruction (for the next day at least).
Alert
At the scheduled time and date, the key version is permanently destroyed: if you still have data encrypted with this key version, you can no longer decrypt it.
To destroy a version:
- Log in to the management console.
- Select Key Management Service.
- Click the desired key in the list to open its attribute page.
- Click the
The version will change its status to Scheduled for destruction
, and the Destruction date column will show the date destruction is scheduled for.
To destroy a version:
-
Get a list of versions for the desired key:
yc kms symmetric-key list-versions example-key
Result:
+----------------------+---------+--------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+--------+-----------+ | abj8cvn99nam26f0f4a3 | true | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | ACTIVE | AES_256 | | abjhduu82ao0r0tkjlp2 | false | ACTIVE | AES_128 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+--------+-----------+
-
Schedule the destruction of a version:
yc kms symmetric-key schedule-version-destruction example-key \ --version-id abjed9ciau8eatb0pg93
The status of the version switches to
SCHEDULED_FOR_DESTRUCTION
and thedestroy_at
field shows the time when destruction is scheduled for.
Cancel version destruction
If you scheduled the destruction of a key version, you can cancel it before the scheduled date:
- Log in to the management console.
- Select Key Management Service.
- Click the desired key in the list to open its attribute page.
- Click the
The version reverts to the ACTIVE
status.
-
Get a list of versions for the desired key:
yc kms symmetric-key list-versions example-key
Result:
+----------------------+---------+---------------------------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+---------------------------+-----------+ | abj8cvn99nam26f0f4a3 | true | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | SCHEDULED_FOR_DESTRUCTION | AES_256 | | abjhduu82ao0r0tkjlp2 | false | ACTIVE | AES_128 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+---------------------------+-----------+
-
Cancel the destruction of a version:
yc kms symmetric-key cancel-version-destruction example-key \ --version-id abjed9ciau8eatb0pg93
The version reverts to the
ACTIVE
status.