Key version management
You can make key versions primary (the default key version is used for encryption and decryption) and destroy them. To create a new key version, rotate the key.
Make a version primary
To make a version primary:
- Log in to management console.
- Select Key Management Service.
- In the Keys tab, click the key in the list to open the page with its attributes.
- Click in the line of the desired version and select Make primary from the menu.
-
Get a list of versions for the desired key:
$ yc kms symmetric-key list-versions example-key +----------------------+---------+--------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+--------+-----------+ | abjhduu82ao0r0tkjlp2 | true | ACTIVE | AES_128 | | abj8cvn99nam26f0f4a3 | false | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | ACTIVE | AES_256 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+--------+-----------+ -
Change the key version by specifying the ID of the desired version:
$ yc kms symmetric-key set-primary-version example-key-1 \ --version-id abj8cvn99nam26f0f4a3
The next encryption or decryption request omitting the key version will use the new primary version.
Destroy a key version
You can't destroy a version immediately: you can only schedule its destruction (for the next day at least).
Alert
On the scheduled date, the key version is permanently destroyed: if you still have data encrypted with this key version, you can no longer decrypt it.
To destroy a version:
- Log in to management console.
- Select Key Management Service.
- In the Keys tab, click the key in the list to open the page with its attributes.
- Click in the line of the desired version and select Schedule destruction from the menu.
The version switches to the Scheduled For Destruction status. The day that destruction is scheduled for is shown in the Destruction date column.
To destroy a version:
-
Get a list of versions for the desired key:
$ yc kms symmetric-key list-versions example-key +----------------------+---------+--------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+--------+-----------+ | abj8cvn99nam26f0f4a3 | true | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | ACTIVE | AES_256 | | abjhduu82ao0r0tkjlp2 | false | ACTIVE | AES_128 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+--------+-----------+ -
Schedule the destruction of a version:
$ yc kms symmetric-key schedule-version-destruction example-key \ --version-id abjed9ciau8eatb0pg93The status of the version switches to
SCHEDULED_FOR_DESTRUCTIONand thedestroy_atfield shows the time when destruction is scheduled for.
Cancel version destruction
If you scheduled the destruction of a key version, you can cancel it before the scheduled date:
- Log in to management console.
- Select Key Management Service.
- In the Keys tab, click the key in the list to open the page with its attributes.
- Click in the line of the desired version and select Cancel destruction from the menu.
The version reverts to the Active status.
-
Get a list of versions for the desired key:
$ yc kms symmetric-key list-versions example-key +----------------------+---------+---------------------------+-----------+ | ID | PRIMARY | STATUS | ALGORITHM | +----------------------+---------+---------------------------+-----------+ | abj8cvn99nam26f0f4a3 | true | ACTIVE | AES_128 | | abjed9ciau8eatb0pg93 | false | SCHEDULED_FOR_DESTRUCTION | AES_256 | | abjhduu82ao0r0tkjlp2 | false | ACTIVE | AES_128 | | abjvejjvfktqc4hsqpss | false | ACTIVE | AES_128 | +----------------------+---------+---------------------------+-----------+ -
Cancel the destruction of a version:
$ yc kms symmetric-key cancel-version-destruction example-key \ --version-id abjed9ciau8eatb0pg93The version reverts to the
Activestatus.