Key Management Service API, REST: AsymmetricEncryptionKey.Create

Written by

Updated at October 3, 2025

HTTP request
Body parameters
Response
CreateAsymmetricEncryptionKeyMetadata
Status
AsymmetricEncryptionKey

control plane
Creates an asymmetric KMS key in the specified folder.

HTTP request

POST https://kms.api.cloud.yandex.net/kms/v1/asymmetricEncryptionKeys

Body parameters

{
  "folderId": "string",
  "name": "string",
  "description": "string",
  "labels": "object",
  "encryptionAlgorithm": "string",
  "deletionProtection": "boolean"
}

Field	Description
folderId	string Required field. ID of the folder to create a asymmetric KMS key in.
name	string Name of the key.
description	string Description of the key.
labels	object (map<string, string>) Custom labels for the asymmetric KMS key as `key:value` pairs. Maximum 64 per key. For example, `"project": "mvp"` or `"source": "dictionary"`.
encryptionAlgorithm	enum (AsymmetricEncryptionAlgorithm) Asymmetric encryption algorithm. `ASYMMETRIC_ENCRYPTION_ALGORITHM_UNSPECIFIED` `RSA_2048_ENC_OAEP_SHA_256`: RSA-2048 encryption with OAEP padding and SHA-256 `RSA_3072_ENC_OAEP_SHA_256`: RSA-3072 encryption with OAEP padding and SHA-256 `RSA_4096_ENC_OAEP_SHA_256`: RSA-4096 encryption with OAEP padding and SHA-256
deletionProtection	boolean Flag that inhibits deletion of the symmetric KMS key

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": {
    "keyId": "string"
  },
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": {
    "id": "string",
    "folderId": "string",
    "createdAt": "string",
    "name": "string",
    "description": "string",
    "labels": "object",
    "status": "string",
    "encryptionAlgorithm": "string",
    "deletionProtection": "boolean"
  }
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
createdAt	string (date-time) Creation timestamp. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
createdBy	string ID of the user or service account who initiated the operation.
modifiedAt	string (date-time) The time when the Operation resource was last modified. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
done	boolean If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	CreateAsymmetricEncryptionKeyMetadata Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
error	Status The error result of the operation in case of failure or cancellation. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
response	AsymmetricEncryptionKey The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.

CreateAsymmetricEncryptionKeyMetadata

Field

Description

keyId

string

ID of the key being created.

Status

The error result of the operation in case of failure or cancellation.

Field	Description
code	integer (int32) Error code. An enum value of google.rpc.Code.
message	string An error message.
details[]	object A list of messages that carry the error details.

AsymmetricEncryptionKey

An asymmetric KMS key that may contain several versions of the cryptographic material.

Field	Description
id	string ID of the key.
folderId	string ID of the folder that the key belongs to.
createdAt	string (date-time) Time when the key was created. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
name	string Name of the key.
description	string Description of the key.
labels	object (map<string, string>) Custom labels for the key as `key:value` pairs. Maximum 64 per key.
status	enum (Status) Current status of the key. `STATUS_UNSPECIFIED` `CREATING`: The key is being created. `ACTIVE`: The key is active and can be used for encryption and decryption or signature and verification. Can be set to INACTIVE using the [AsymmetricKeyService.Update] method. `INACTIVE`: The key is inactive and unusable. Can be set to ACTIVE using the [AsymmetricKeyService.Update] method.
encryptionAlgorithm	enum (AsymmetricEncryptionAlgorithm) Asymmetric Encryption Algorithm ID. `ASYMMETRIC_ENCRYPTION_ALGORITHM_UNSPECIFIED` `RSA_2048_ENC_OAEP_SHA_256`: RSA-2048 encryption with OAEP padding and SHA-256 `RSA_3072_ENC_OAEP_SHA_256`: RSA-3072 encryption with OAEP padding and SHA-256 `RSA_4096_ENC_OAEP_SHA_256`: RSA-4096 encryption with OAEP padding and SHA-256
deletionProtection	boolean Flag that inhibits deletion of the key

Key Management Service API, REST: AsymmetricEncryptionKey.Create

HTTP requestHTTP request

Body parametersBody parameters

ResponseResponse

CreateAsymmetricEncryptionKeyMetadataCreateAsymmetricEncryptionKeyMetadata

StatusStatus

AsymmetricEncryptionKeyAsymmetricEncryptionKey