Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
  • Yandex Container Solution
    • Resource relationships
    • Graphics processing units (GPUs)
    • Images
    • Dedicated host
    • Encryption
    • Backups
    • Quotas and limits
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Encryption options
  • Using custom keys
  • See also
  1. Concepts
  2. Encryption

Encryption in Compute Cloud

Written by
Yandex Cloud
Updated at March 4, 2025
  • Encryption options
  • Using custom keys
    • See also

By default, all data on Compute Cloud disks is encrypted at the storage database level using a system key. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers. For more information, see Data protection.

We also recommend encrypting disks, snapshots, and images using custom Yandex Key Management Service symmetric keys. This approach allows you to:

  • Protect yourself against potential threats of isolation breach and data compromise at the virtual infrastructure level.
  • Control and manage the encryption and lifecycle of KMS keys. See Key management.
  • Improve data access control for your disk by requiring permissions for KMS keys. See Configuring access permissions for a symmetric encryption key.
  • Follow encryption and decryption operations performed using your KMS key with the help of Yandex Audit Trails. See Key usage audit.

You can encrypt the following types of disks:

  • Network SSD (network-ssd)
  • Network HDD (network-hdd)
  • Non-replicated SSD (network-ssd-nonreplicated)
  • Ultra high-speed network storage with three replicas (SSD) (network-ssd-io-m3)

For more details, see Disk types.

Warning

You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.

In Compute Cloud, encryption is available from the management console, CLI, and API.

Encryption optionsEncryption options

The table below lists the methods you can use to create encrypted Compute Cloud resources and some features of KMS keys:

Target resource Source resource Key Note
Empty encrypted disk — Any See Creating an empty disk.
Encrypted disk Unencrypted image Any See Recovering a disk from an image.
You can also use an image to
encrypt existing disks and snapshots.
Encrypted disk Encrypted image Image key See Recovering a disk from an image.
You can also use an encrypted
image to create a copy of
an encrypted disk.
Encrypted disk Unencrypted snapshot Any See Recovering a disk from a snapshot.
Encrypted disk Encrypted snapshot Snapshot key See Recovering a disk from a snapshot.
Encrypted image Encrypted disk Disk key See Creating an image from a disk.
Encrypted snapshot Encrypted disk Disk key See Creating a disk snapshot.

Using custom keysUsing custom keys

By using custom KMS keys for disk and snapshot encryption, you can achieve more granular control over access to encrypted data: create custom keys for specific users or tasks, timely deactivate or delete specific keys.

If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.

Alert

If you destroy the key or its version used to encrypt a disk, image, or snapshot, access to the data will be irrevocably lost. For details, see Destroying key versions.

To use encryption in Compute Cloud, the user must have the kms.keys.user or kms.admin role for the key used for encryption. These roles enable you to do the following:

  • Create an encrypted disk.
  • Create a VM with an encrypted disk.
  • Attach an encrypted disk to an existing VM.
  • Start and restart a VM with an encrypted disk.

For more information, see Access management.

See alsoSee also

  • Data encryption and key and secret management

Was the article helpful?

Previous
Dedicated host
Next
Backups
Yandex project
© 2025 Yandex.Cloud LLC