Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Key Management Service
  • Getting started
    • Overview
      • Encryption key pair
      • Asymmetric encryption
    • Envelope encryption
    • Key consistency
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • Encryption key pair parameters
  • Using encryption key pairs
  • Deleting encryption key pairs
  • Use cases
  1. Concepts
  2. Asymmetric encryption
  3. Encryption key pair

Asymmetric encryption key pair in KMS

Written by
Yandex Cloud
Updated at March 31, 2025
  • Encryption key pair parameters
  • Using encryption key pairs
  • Deleting encryption key pairs
  • Use cases

An asymmetric encryption key pair consists of two parts: a public key and a private key. The public key is used for encryption and the private key is used for decryption.

Key Management Service allows you to export the public key to encrypt text on the client side. To decrypt such text in KMS, you can use the private key. You cannot access the private key in KMS directly.

Each key pair counts towards KMS quotas as a single key.

Encryption key pair parametersEncryption key pair parameters

A KMS encryption key pair may have the following parameters:

  • ID: Unique key pair identifier in Yandex Cloud. It is used for working with key pairs via the SDK, API, and CLI.

  • Name: Non-unique key pair name. It can be used to work with key pairs in the CLI if the folder only contains a single key pair with this name.

  • Encryption algorithm: Algorithm used for encryption. The following asymmetric encryption algorithms are supported:

    • rsa-2048-enc-oaep-sha-256
    • rsa-3072-enc-oaep-sha-256
    • rsa-4096-enc-oaep-sha-256
  • Status: Current state of the key pair. The following statuses are possible:

    • Creating: Key pair is being created.
    • Active: Key pair can be used for encryption and decryption.
    • Inactive: Key pair cannot be used.

    You can change the key pair status from Active to Inactive and back using the AsymmetricEncryptionKeyService/Update gRPC API call.

Using encryption key pairsUsing encryption key pairs

You can use an asymmetric encryption key pair in data encryption and decryption operations if you have the appropriate roles assigned. You can temporarily disable operations with a key pair by revoking the roles or changing its status to Inactive. For more information, see Access management in Key Management Service.

Deleting encryption key pairsDeleting encryption key pairs

If you delete an encryption key pair or its parent resource (folder or cloud), this destroys the cryptographic material contained in it. After that, you will not be able to decrypt the data encrypted with the public key of the key pair.

Use casesUse cases

  • Signing and verifying Yandex Container Registry Docker images in Yandex Managed Service for Kubernetes

Was the article helpful?

Previous
Hardware security module (HSM)
Next
Asymmetric encryption
© 2025 Direct Cursus Technology L.L.C.