Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • Getting started
  • Create a symmetric encryption key
  • Encrypt text using the key
  • Decrypt the text

Getting started with Key Management Service

Written by
Yandex Cloud
Improved by
Updated at March 6, 2025
  • Getting started
  • Create a symmetric encryption key
  • Encrypt text using the key
  • Decrypt the text

In this guide, you create your first key and encrypt and decrypt text using the KMS.

Getting startedGetting started

To get started with Key Management Service:

  1. Log in to the management console. If not signed up yet, navigate to the management console and follow the on-screen instructions.

  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

  3. Assign to your Yandex Cloud account the owner or editor role or higher for the cloud of your choice.

    Note

    If you are unable to manage roles, contact your cloud or organization administrator.

  4. If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

Create a symmetric encryption keyCreate a symmetric encryption key

Management console

Create a symmetric encryption key:

  1. In the management console, select the folder you want to create a key in.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. Click Create key and set the key parameters:
    • In the Name field, specify my-first-key.
    • In the Encryption algorithm field, specify AES-256.
    • In the Rotation period, days field, leave No rotation.
    • Click Create.
  5. Click the line with the key name and make sure the Versions section contains the first key version.

Encrypt text using the keyEncrypt text using the key

Come up with a secret text, for example: The launch is scheduled for Marchember 42.. The text size must not exceed 32 KB. To encrypt large volumes of data, use envelope encryption.

CLI

Encrypt the text:

  1. Save the secret text to the plaintext.txt file.

  2. Copy the ID of the previously created key from the management console.

    1. In the management console, go to the folder the key was created in.
    2. Select Key Management Service.
    3. In the window that opens, copy the key from the ID field.
  3. Encrypt the text:

    yc kms symmetric-crypto encrypt \
     --id <key_ID> \
     --plaintext-file plaintext.txt \
     --ciphertext-file ciphertext
    

The result is a binary file named ciphertext containing ciphertext.

Decrypt the textDecrypt the text

Decrypt the ciphertext binary file from the previous step.

CLI

Decrypt the text:

yc kms symmetric-crypto decrypt \
--id <key_ID> \
--ciphertext-file ciphertext \
--plaintext-file decrypted.txt

As a result, the ciphertext file will be decrypted and the following decrypted text will be written to the decrypted.txt file: The launch is scheduled for Marchember 42..

See alsoSee also

  • Updating keys
  • Rotating a key
  • Changing the default key version

Was the article helpful?

Next
All guides
Yandex project
© 2025 Yandex.Cloud LLC