Contact UsGet started

Getting started with Key Management Service

Written by
Improved by
Updated at January 26, 2024

In this guide, you create your first key and encrypt and decrypt text using the KMS.

Getting started

To get started with Key Management Service:

  1. Log in to the management console. If you do not have an account yet, go to the management console and follow the guide.
  2. On the Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not yet have a billing account, create one.
  3. Make sure that you have the owner or editor role for the cloud.
  4. If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

Create a symmetric encryption key

Create a symmetric encryption key:

  1. In the management console, select the folder where you want to create a key.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. Click Create key and set the key parameters:
    • In the Name field, enter my-first-key.
    • In the Encryption algorithm field, set AES-256.
    • In the Rotation period, days field, leave No rotation.
    • Click Create.
  5. Click the line with the key name and make sure the Versions section contains the first key version.

Encrypt text using the key

Come up with a secret text, for example: The launch is scheduled for Marchember 42.. The text size must not exceed 32 KB. To encrypt large volumes of data, use envelope encryption.

Encrypt the text:

  1. Save the secret text to the plaintext.txt file.

  2. Copy the ID of the previously created key from the management console.

    1. In the management console, go to the folder where the key was created.
    2. Select Key Management Service.
    3. In the window that opens, copy the key from the ID field.

  3. Encrypt the text:

    yc kms symmetric-crypto encrypt \
 --id <key_ID> \
 --plaintext-file plaintext.txt \
 --ciphertext-file ciphertext

The result is a binary file named ciphertext containing ciphertext.

Decrypt the text

Decrypt the ciphertext binary file from the previous step.

Decrypt the text:

yc kms symmetric-crypto decrypt \
--id <key_ID> \
--ciphertext-file ciphertext \
--plaintext-file decrypted.txt

As a result, the ciphertext file is decrypted and the following decrypted text is written to the decrypted.txt file: The launch is scheduled for Marchember 42..

See also

Next
All guides