Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
    • Overview
      • Symmetric key
      • Key version
      • Symmetric encryption
      • Hardware security module (HSM)
    • Envelope encryption
    • Key consistency
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • Key parameters
  • Using a symmetric key
  • Deleting a key
  • Use cases
  1. Concepts
  2. Symmetric encryption
  3. Symmetric key

Symmetric key in KMS

Written by
Yandex Cloud
Updated at March 31, 2025
  • Key parameters
  • Using a symmetric key
  • Deleting a key
  • Use cases

A symmetric key is a set of versions, each of which defines an algorithm and cryptographic material for data encryption or decryption operations.
A symmetric key is created along with its first version that becomes the primary one. It is used by default in key operations unless you specify a different version in the input parameters.
When rotating keys, the parameters of new versions are inherited from the key parameters.

You can change the primary version of the symmetric key at any time by specifying any previous version. For additional security of your data, rotate keys on a regular basis and only use previous versions to decrypt data. This limits the lifetime of cryptographic material.

Key parametersKey parameters

A KMS symmetric key may have the following parameters:

  • ID: Unique key identifier in Yandex Cloud. It is used for working with keys via the SDK, API, and CLI.

  • Name: Non-unique key name. It can be used to work with keys in the CLI if the folder only contains a single key with this name.

  • Encryption algorithm: The algorithm to be used for encryption in new versions of the key. GCM supports the following symmetric encryption algorithms:

    • AES-128: AES algorithm with 128-bit keys.
    • AES-192: AES algorithm with 192-bit keys.
    • AES-256: AES algorithm with 256-bit keys.
    • AES-256 HSM: AES algorithm with 256-bit keys. Encryption keys are created and cryptographic operations handled in a Hardware Security Module (HSM).
  • Rotation period: Time span between automatic key rotations.

  • Deletion protection: Pprevents accidental key deletion. When enabled, you cannot delete the key without disabling this option first.

  • Status: Current state of the key. The following statuses are possible:

    • Creating: Key is being created.
    • Active: Key can be used for encryption and decryption.
    • Inactive: Key cannot be used.

    You can change the key status from Active to Inactive and vice versa using the update method.

Using a symmetric keyUsing a symmetric key

You can use a symmetric key in data encryption and decryption operations if you have the appropriate roles assigned. You can temporarily disable operations with a key by revoking roles or changing its status to Inactive. For more information, see Access management in Key Management Service.

Deleting a keyDeleting a key

If you delete a key or its parent resource (folder or cloud), this destroys the cryptographic material contained in it. After that, you will not be able to decrypt the data encrypted with that key.

Use casesUse cases

  • Encrypting data using the Yandex Cloud CLI and API
  • Encrypting data using the Yandex Cloud SDK
  • Encrypting data using the AWS Encryption SDK
  • Encrypting data using Google Tink
  • Encrypting secrets in Yandex Managed Service for Kubernetes
  • Managing KMS keys with Hashicorp Terraform
  • Encrypting secrets in Hashicorp Terraform
  • Auto Unseal in Hashicorp Vault
  • Secure password transmission to an initialization script

Was the article helpful?

Previous
Overview
Next
Key version
Yandex project
© 2025 Yandex.Cloud LLC