Symmetric data encryption
In this section, you will learn how to use KMS to encrypt and decrypt small-sized data (up to 32 KB) in symmetric encryption mode using the CLI and API. For more information about the available encryption methods, see Which encryption method should I choose?.
Getting started
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Encrypt data
This command will encrypt the plain text provided in --plaintext-file
and write the resulting ciphertext to --ciphertext-file
:
--id
: ID of the KMS key. Make sure you set either the--id
or--name
flag.--name
: Name of the KMS key. Make sure you set either the--id
or--name
flag.--version-id
(optional): Version of the KMS key to use for encryption. The primary version is used by default.--plaintext-file
: Input file with plaintext.--aad-context-file
(optional): Input file with AAD context.--ciphertext-file
: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
--id abj76v82fics******** \
--plaintext-file plaintext-file \
--ciphertext-file ciphertext-file
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To encrypt data:
-
In the configuration file, describe the parameters of the
yandex_kms_secret_ciphertext
resource and specify the KMS key in thekey_id
field:resource "yandex_kms_secret_ciphertext" "password" { key_id = "<key_ID>" aad_context = "additional authenticated data" plaintext = "strong password" }
Where:
key_id
: KMS key ID.aad_context
: (AAD context).plaintext
: String to be encrypted.
Warning
yandex_kms_secret_ciphertext
enables you to hide secrets when deploying an infrastructure. However, in general, it is not safe to openly specify theplaintext
andaad_context
in the configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.For more information about resource parameters in Terraform, see the provider documentation
. -
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.The ciphertext can then be accessed via the
ciphertext
variable, and the encrypted data via theplaintext
variable.To check, you can add the following code with the
decrypted_pass
output variable to the configuration file.Alert
This is not safe and can only be used for testing.
output "decrypted_pass" { sensitive = true value = yandex_kms_secret_ciphertext.password.plaintext }
After updating the configuration, you can check the encrypted data using the command:
terraform output decrypted_pass
Result:
"strong password"
To encrypt data, use the encrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Encrypt gRPC API call.
For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.
For information about how to encrypt and decrypt data using the AWS Encryption SDK
For information about how to encrypt and decrypt data using Google Tink
Decrypt data
This command will decrypt the ciphertext provided in --ciphertext-file
and write the resulting plain text to --plaintext-file
:
--id
: ID of the KMS key. Make sure you set either the--id
or--name
flag.--name
: Name of the KMS key. Make sure you set either the--id
or--name
flag.--ciphertext-file
: Input file with plaintext.--aad-context-file
(optional): Input file with AAD context.--plaintext-file
: Output file with ciphertext.
yc kms symmetric-crypto decrypt \
--id abj76v82fics******** \
--ciphertext-file ciphertext-file \
--plaintext-file decrypted-file
To decrypt data, use the decrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Decrypt gRPC API call.
For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.
For information about how to encrypt and decrypt data using the AWS Encryption SDK
For information about how to encrypt and decrypt data using Google Tink