Key Management Service overview

Key Management Service is a service to create and manage encryption keys in Yandex Cloud.

Modern encryption algorithms are public. The knowledge of the ciphertext and encryption algorithm is not enough to decrypt data unless you have access to keys. Therefore, secure data storage means secure storage of encryption keys.

There are various types of encrypted data: from passwords, OAuth tokens, and SSH keys to data arrays that are several GB in size. They may require different types of access (random or sequential) and different types of storage. The optimal encryption algorithms are selected depending on all these factors. With a large amount of data, it is equally important to control access to it in a consistent manner and to consider the specifics of each data type.

Key Management Service meets the above objectives and provides secure and centralized storage for encryption keys.

Interfaces for using the serviceInterfaces for using the service

To work with KMS, you can use:

• Management console.
• Command line interface (CLI).
• SDK: in Java, Go, Python, or Node.js.
• API: REST or gRPC.

Managing symmetric encryption keysManaging symmetric encryption keys

A symmetric encryption key is a KMS resource and a collection of versions of cryptographic material that can be used to encrypt or decrypt data. Control the lifecycle of crypto material by managing keys:

• Create a key.
• Rotate keys.
• Update keys.
• Destroy keys.

Managing asymmetric encryption key pairsManaging asymmetric encryption key pairs

An asymmetric encryption key pair is a KMS resource that consists of two parts: a public key and a private key. The public key is used for encryption and the private key is used for decryption. Manage encryption key pairs:

• Create a key pair.
• Update a key pair.
• Delete a key pair.

Managing asymmetric key pairs of digital signaturesManaging asymmetric key pairs of digital signatures

An asymmetric digital signature key pair is a KMS resource that consists of two parts: a public key and a private key. You use the private key to create a digital signature and the public key to verify it. Manage signature key pairs:

• Create a key pair.
• Update a key pair.
• Delete a key pair.

Key integration with services and toolsKey integration with services and tools

You can use KMS keys:

• In Yandex Cloud services:
  • Managed Service for Kubernetes
  • Certificate Manager
• When working with Terraform.
• In cryptographic libraries:
  • AWS Encryption SDK
  • Google Tink

Secure key storageSecure key storage

The cryptographic key material is stored in encrypted form and is not available as plaintext outside KMS. When using the service API, you can encrypt or decrypt the transmitted data with a specific key, but you cannot get the crypto material in an explicit form. It can only be restored to RAM, and just for the duration of operations with the corresponding key.

If you use a Hardware Security Module (HSM), user keys never leave the HSM as plaintext. Key creation also takes place inside the HSM.

All access control features provided by Identity and Access Management are available for keys. For more information on access control and role assignment, see Access management in Key Management Service.

Key usage auditKey usage audit

You cannot read the ciphertext without access to the appropriate key. All key operations are written to audit logs. So, in addition to encryption, an important advantage of using KMS is the verification of access to encrypted data via key logs.

Each entry in the audit log contains the following information:

• Date and time.
• Type of operation.
• The key used.
• Subject (Yandex Cloud or service account).

To get audit logs, contact support.