Bucket encryption
In Object Storage, you can encrypt objects in a bucket using KMS keys:
- Add encryption to the bucket to encrypt all new objects with the specified key.
- Specify an encryption key when uploading an object via the API.
Alert
Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as destroying all data encrypted with that key.
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer
role:
kms.keys.encrypter
: To read the key, encrypt, and upload objects.kms.keys.decrypter
: To read the key, decrypt, and download objects.kms.keys.encrypterDecrypter
: Includes thekms.keys.encrypter
andkms.keys.decrypter
permissions.
For more information, see Key Management Service service roles.
Adding encryption to a bucket
To add a KMS key:
-
In the management console
, select Object Storage from the list of services and go to the bucket you want to configure the encryption for. -
In the left-hand panel, select
Security. -
Select the Encryption tab.
-
In the KMS Key field, select an existing key or create a new one:
- If the folder does not contain any keys yet, click Create key. If there are keys but they are not suitable, click Create new key.
- Enter a name for the key.
- Select an encryption algorithm and a rotation period.
- Click Create.
-
Click Save.
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To get started, obtain an IAM token for your service account and save it to a file.
-
In the configuration file, describe the parameters of the resources you want to create:
provider "yandex" { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" zone = "ru-central1-a" service_account_key_file = "key.json" } resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" } resource "yandex_kms_symmetric_key" "key-a" { name = "<key_name>" description = "<key_description>" default_algorithm = "AES_128" rotation_period = "8760h" // 1 year } resource "yandex_storage_bucket" "test" { bucket = "<bucket_name>" access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } }
Where:
service_account_key_file
: Path to file with your service account's IAM token (or the file contents).default_algorithm
: Encryption algorithm to be used with a new key version. A new version, generated at the next key rotation. The default value isAES_128
.rotation_period
: Rotation period. To disable automatic rotation, omit this parameter.apply_server_side_encryption_by_default
: Default encryption settings on the server side:kms_master_key_id
: ID of the KMS master key used for encryption.sse_algorithm
: Encryption algorithm used on the server side. The only supported value isaws:kms
.
-
Make sure the configuration files are correct.
- In the command line, go to the folder where you created the configuration file.
- Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
Deploy cloud resources.
- If the configuration does not contain any errors, run this command:
terraform apply
- Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
.
Removing bucket encryption
To remove encryption, delete the KMS key:
- In the management console
, select Object Storage from the list of services and go to the bucket you want to disable encryption for. - In the left-hand panel, select
Security. - Select the Encryption tab.
- In the KMS Key field, select Not selected.
- Click Save.
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To disable encryption for a bucket created using Terraform:
-
Open the Terraform configuration file and delete the
server_side_encryption_configuration
section from the bucket description.Example bucket description in a Terraform configuration
... resource "yandex_storage_bucket" "test" { bucket = "my-bucket" access_key = "123JE02jKxusn********" secret_key = "ExamP1eSecReTKeykdo********" server_side_encryption_configuration { // Delete this section to disable encryption rule { apply_server_side_encryption_by_default { kms_master_key_id = "abjbeb2bgg4l********" sse_algorithm = "aws:kms" } } } } ...
-
In the command line, go to the directory with the Terraform configuration file.
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the changes in the management console
.