Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Key Management Service
  • Getting started
    • All tutorials
      • Encryption key pair
      • Data encryption
      • Access permissions for an asymmetric key pair
    • Viewing operations with resources
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • Creating an encryption key pair
  • Updating an encryption key pair
  • Deleting an encryption key pair
  1. Step-by-step guides
  2. Asymmetric encryption
  3. Encryption key pair

Managing encryption key pairs

Written by
Yandex Cloud
Updated at June 3, 2025
  • Creating an encryption key pair
  • Updating an encryption key pair
  • Deleting an encryption key pair

You can use Key Management Service to create, update, and destroy asymmetric encryption key pairs.

Creating an encryption key pairCreating an encryption key pair

Management console
CLI
API
  1. In the management console, select the folder to create your key pair in.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. In the top-right corner, click Create key. In the window that opens:
    1. Enter a name and an optional description.
    2. In the Type field, select Encryption.
    3. In the Algorithm field, select the appropriate encryption algorithm.
    4. Enable deletion protection if required.
    5. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to create an encryption key pair:

    yc kms asymmetric-encryption-key create --help
    
  2. Get the ID of the folder to create the key pair in.

  3. Create your key pair:

    yc kms asymmetric-encryption-key create \
      --name <key_pair_name> \
      --encryption-algorithm <encryption_algorithm> \
      --folder-id <folder_ID>
    

    Where:

    • --name: Name of the encryption key pair.

    • --folder-id: ID of the folder where the key pair will be created.

    • --encryption-algorithm: Encryption algorithm. Available options:

      • rsa-2048-enc-oaep-sha-256
      • rsa-3072-enc-oaep-sha-256
      • rsa-4096-enc-oaep-sha-256

    Result:

    id: abjfmo5enqlr********
    folder_id: b1gt6g8ht345********
    created_at: "2023-08-16T18:10:03Z"
    name: sample-encryption-key
    status: ACTIVE
    encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256
    

To create an encryption key pair, use the AsymmetricEncryptionKeyService/Create gRPC API call.

Updating an encryption key pairUpdating an encryption key pair

After creating an encryption key pair, you can change its name, description, and labels, as well as enable or disable deletion protection.

Management console
CLI
API
  1. In the management console, select the folder with the appropriate key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. Go to the Encryption tab.
  5. In the line with the key pair, click and select Edit. In the window that opens:
    1. Change the required key pair attributes.
    2. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to update an encryption key pair:

    yc kms asymmetric-encryption-key update --help
    
  2. Get the ID of the folder with the key pair.

  3. Get the ID of the required encryption key pair by specifying the folder ID:

    yc kms asymmetric-encryption-key list \
      --folder-id <folder_ID>
    

    Result:

    +----------------------+-----------------------+---------------------------+---------------------+--------+
    |          ID          |          NAME         |   ENCRYPTION ALGORITHM    |     CREATED AT      | STATUS |
    +----------------------+-----------------------+---------------------------+---------------------+--------+
    | abjfmo5enqlr******** | sample-encryption-key | RSA_2048_ENC_OAEP_SHA_256 | 2023-08-16 18:10:03 | ACTIVE |
    +----------------------+-----------------------+---------------------------+---------------------+--------+
    
  4. Update the key pair:

    yc kms asymmetric-encryption-key update \
      --id <key_pair_ID> \
      --new-name <new_key_pair_name> \
      --deletion-protection
    

    Where:

    • --id: ID of the encryption key pair.
    • --new-name: New name for the key pair.
    • --deletion-protection: Flag to enable deletion protection. To disable the key pair deletion protection, use the --no-deletion-protection flag.

    Result:

    id: abjfmo5enqlr********
    folder_id: b1gt6g8ht345********
    created_at: "2023-08-16T18:10:03Z"
    name: new-encryption-key
    status: ACTIVE
    encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256
    deletion_protection: true
    

    The command has renamed the encryption key pair and enabled its deletion protection.

To update an encryption key pair, use the AsymmetricEncryptionKeyService/Update gRPC API call.

Deleting an encryption key pairDeleting an encryption key pair

Management console
CLI
API
  1. In the management console, select the folder with the appropriate key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. Go to the Encryption tab.
  5. In the line with the key pair, click and select Delete.
  6. Confirm the deletion.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to delete an encryption key pair:

    yc kms asymmetric-encryption-key delete --help
    
  2. Get the ID of the folder with the key pair.

  3. Get the ID of the required encryption key pair by specifying the folder ID:

    yc kms asymmetric-encryption-key list \
      --folder-id <folder_ID>
    

    Result:

    +----------------------+-----------------------+---------------------------+---------------------+--------+
    |          ID          |          NAME         |   ENCRYPTION ALGORITHM    |     CREATED AT      | STATUS |
    +----------------------+-----------------------+---------------------------+---------------------+--------+
    | abjfmo5enqlr******** | sample-encryption-key | RSA_2048_ENC_OAEP_SHA_256 | 2023-08-16 18:10:03 | ACTIVE |
    +----------------------+-----------------------+---------------------------+---------------------+--------+
    
  4. Delete the key pair by specifying its ID:

    yc kms asymmetric-encryption-key delete \
      --id <key_pair_ID>
    

    Result:

    id: abjfmo5enqlr********
    folder_id: b1gt6g8ht345********
    created_at: "2023-08-16T18:10:03Z"
    name: new-encryption-key
    encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256
    

To delete an encryption key pair, use the AsymmetricEncryptionKeyService/Delete gRPC API call.

Was the article helpful?

Previous
Encryption key access permissions
Next
Data encryption
© 2025 Direct Cursus Technology L.L.C.