Encryption in Object Storage
When using Yandex Object Storage, you have to make sure to encrypt critical data.
We recommend encrypting Object Storage buckets using Yandex Key Management Service keys (server-side encryption). This encryption method protects against accidental or intentional publication of the bucket content on the web.
Alert
Data in Object Storage is encrypted using envelope encryption, meaning that deleting a key is the same as destroying all data encrypted with that key.
Server-side encryption is performed using keys stored in Key Management Service. The created KMS key is specified in the bucket settings. It will be used for encrypting all new objects or when uploading an object via the API.
Objects are encrypted before you save them to a bucket and decrypted when you download them from the bucket. By default, encryption applies to all new objects, while previously uploaded ones remain unchanged.
To be able to encrypt, a bucket user must have both the storage.configurer
role and the kms.keys.encrypter
role that allows key access. To decrypt objects, the user needs the storage.configurer
and kms.keys.decrypter
roles to read the encryption key.
For more information, see Key Management Service service roles.
In addition to Key Management Service key-based encryption, you can also use the following approaches:
- Integrating Object Storage with the Key Management Service service for client-side encryption. For more information, see Recommended cryptographic libraries.
- Using third-party client-side encryption libraries prior to sending data to Object Storage. If you use third-party data encryption libraries and your own key management methods, make sure your operation model, algorithms, and key sizes comply with the regulatory requirements.