Yandex Key Management Service

A service for managing cryptographic keys. Use keys to protect the secrets, personal data, and sensitive information you store in the cloud.

Get started Documentation

Key management

Create and delete keys, set up access policies, and perform rotation via the management console, CLI, or API.

Data encryption

Yandex KMS implements symmetric and asymmetric cryptography. Use the REST or rpc API to encrypt and decrypt small amounts of data, such as secrets and local encryption keys, as well as to sign data using e-signature schemes.

Access control and security

You manage access to encrypted data, and Yandex KMS ensures the reliability and physical security of keys. Hardware Security Modules (HSMs) are available.

SDK integration

Encrypt small amounts of data using the SDK in Java or Go. To encrypt larger amounts of data, the service is integrated with popular encryption libraries, including the AWS Encryption SDK and Google Tink.

Audit key actions

Verify access to encrypted data via key logs. Yandex KMS registers all API requests, including actions for managing keys and using keys to encrypt and decrypt data.

Integration with other services

Integration with Yandex Lockbox makes it possible to encrypt secrets with your own keys. Secrets and data can also be protected using encryption keys in Managed Service for Kubernetes.

Getting started

Encrypt your secrets with Yandex Managed Service for Kubernetes using a KMS key. To do this, create a KMS key and use it when creating a Kubernetes cluster.

Create a key

Questions and answers

What is a cryptographic key?

A key is a set of versions, each of which defines an algorithm and cryptographic material for data encryption or decryption operations. The key is created along with its first version, which becomes the primary one. It’s used by default in key operations unless you specify a different version in the input parameters.

Documentation

What encryption scheme is used in Key Management Service?

The service implements symmetric and asymmetric encryption.

In the case of symmetric encryption, the same (symmetric) key is used for both encryption and decryption. KMS uses AES with a key length of 128, 192 or 256 bits in GCM mode.

Asymmetric encryption uses the RSA cryptosystem with key lengths of 2048, 3072 and 4096 bits and the SHA256 hash algorithm. For e-signatures, the KMS service provides the ECDSA and RSA cryptographic algorithms.

Documentation

How are encryption and decryption implemented on asymmetric keys?

Key Management Service allows you to upload a public key so that it can be used to distribute and encrypt data on the client side or verify a generated electronic signature.

Decryption of data encrypted with a public key and data signed using e-signature schemes is performed on a private key in the Key Management Service. Direct access to the private key and its extraction from the service are not allowed.

Documentation

How much data can I encrypt?

What are the options for additional protection?

Get started with Key Management Service

Console Documentation

Useful links

Ask a question

Pricing

Yandex Key Management Service

Key management

Data encryption

Access control and security

SDK integration

Audit key actions

Integration with other services

Getting started

Questions and answers

What is a cryptographic key?

What encryption scheme is used in Key Management Service?

How are encryption and decryption implemented on asymmetric keys?

How much data can I encrypt?

What are the options for additional protection?

Get started with Key Management Service

Useful links

Services and resources

Why Yandex Cloud

Company

Contacts