Encryption in Object Storage
When using Yandex Object Storage, make sure critical data is encrypted.
Recommended approach: Object Storage bucket encryption using Yandex Key Management Service keys (server-side encryption). This encryption method protects against the accidental or intentional publication of bucket contents on the internet.
Alert
Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as destroying all data encrypted with that key.
Server-side encryption is performed using keys stored in Yandex Key Management Service. A created KMS key is specified in the bucket settings. It will be used for encrypting all new objects or when uploading an object via the API.
Objects are encrypted before you save them to a bucket and decrypted when you download them from the bucket. By default, encryption applies to all new objects, while the previously uploaded objects remain unchanged.
To decrypt an object, the user must have both the storage.editor role and the kms.keys.encrypterDecrypter role that allows reading the encryption key.
In addition to Yandex Key Management Service key-based encryption, you can use the following approaches:
- Integration of Object Storage with the Key Management Service service for data encryption at the application level (client-side encryption). For more information, see Recommended cryptographic libraries.
- Encrypting data at the application level before sending it to Object Storage using third-party libraries. When using third-party libraries and proprietary key management methods, you should make sure that the scheme of operation, the algorithms used and the key lengths meet the requirements of regulators.