Contact UsGet started

Getting started with Key Management Service

Written by
Improved by
Updated at March 6, 2025

In this guide, you create your first key and encrypt and decrypt text using the KMS.

Getting started

To get started with Key Management Service:

  1. Log in to the management console. If not signed up yet, navigate to the management console and follow the on-screen instructions.

  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

  3. Assign to your Yandex Cloud account the owner or editor role or higher for the cloud of your choice.

    Note

    If you are unable to manage roles, contact your cloud or organization administrator.

  4. If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

Create a symmetric encryption key

Create a symmetric encryption key:

  1. In the management console, select the folder you want to create a key in.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. Click Create key and set the key parameters:
    • In the Name field, specify my-first-key.
    • In the Encryption algorithm field, specify AES-256.
    • In the Rotation period, days field, leave No rotation.
    • Click Create.
  5. Click the line with the key name and make sure the Versions section contains the first key version.

Encrypt text using the key

Come up with a secret text, for example: The launch is scheduled for Marchember 42.. The text size must not exceed 32 KB. To encrypt large volumes of data, use envelope encryption.

Encrypt the text:

  1. Save the secret text to the plaintext.txt file.

  2. Copy the ID of the previously created key from the management console.

    1. In the management console, go to the folder the key was created in.
    2. Select Key Management Service.
    3. In the window that opens, copy the key from the ID field.

  3. Encrypt the text:

    yc kms symmetric-crypto encrypt \
 --id <key_ID> \
 --plaintext-file plaintext.txt \
 --ciphertext-file ciphertext

The result is a binary file named ciphertext containing ciphertext.

Decrypt the text

Decrypt the ciphertext binary file from the previous step.

Decrypt the text:

yc kms symmetric-crypto decrypt \
--id <key_ID> \
--ciphertext-file ciphertext \
--plaintext-file decrypted.txt

As a result, the ciphertext file will be decrypted and the following decrypted text will be written to the decrypted.txt file: The launch is scheduled for Marchember 42..

See also

Next
All guides