Encrypting data using the Yandex Cloud CLI and API
In Yandex Key Management Service, you can encrypt and decrypt small amounts of data (up to 32 KB). For more information about the available encryption methods, see Which encryption method should I choose?.
Getting started
If you do not have the Yandex Cloud CLI yet, install and initialize it.
Encrypt data
This command will encrypt the plain text provided in --plaintext-file and write the resulting ciphertext to --ciphertext-file:
--id: ID of the KMS key. Make sure you set either the--idor--nameflag.--name: Name of the KMS key. Make sure you set either the--idor--nameflag.--version-id(optional): Version of the KMS key to use for encryption. The primary version is used by default.--plaintext-file: Input file with plaintext.--aad-context-file(optional): Input file with AAD context.--ciphertext-file: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
--id abj76v82fics******** \
--plaintext-file plaintext-file \
--ciphertext-file ciphertext-file
To encrypt data, use the encrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Encrypt gRPC API call.
Decrypt data
This command will decrypt the ciphertext provided in --ciphertext-file and write the resulting plain text to --plaintext-file:
--id: ID of the KMS key. Make sure you set either the--idor--nameflag.--name: Name of the KMS key. Make sure you set either the--idor--nameflag.--ciphertext-file: Input file with plaintext.--aad-context-file(optional): Input file with AAD context.--plaintext-file: Output file with ciphertext.
yc kms symmetric-crypto decrypt \
--id abj76v82fics******** \
--ciphertext-file ciphertext-file \
--plaintext-file decrypted-file
To decrypt data, use the decrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Decrypt gRPC API call.