Managing encryption key pairs
You can use Key Management Service to create, update, and destroy asymmetric encryption key pairs.
Creating an encryption key pair
- In the management console
, select the folder to create your key pair in. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- In the top-right corner, click Create key. In the window that opens:
- Enter a name and an optional description.
- In the Type field, select
Encryption
. - In the Algorithm field, select the appropriate encryption algorithm.
- Enable deletion protection if required.
- Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to create an encryption key pair:
yc kms asymmetric-encryption-key create --help
-
Get the ID of the folder to create the key pair in.
-
Create your key pair:
yc kms asymmetric-encryption-key create \ --name <key_pair_name> \ --encryption-algorithm <encryption_algorithm> \ --folder-id <folder_ID>
Where:
-
--name
: Name of the encryption key pair. -
--folder-id
: ID of the folder where the key pair will be created. -
--encryption-algorithm
: Encryption algorithm. Available options:rsa-2048-enc-oaep-sha-256
rsa-3072-enc-oaep-sha-256
rsa-4096-enc-oaep-sha-256
Result:
id: abjfmo5enqlr******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T18:10:03Z" name: sample-encryption-key status: ACTIVE encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256
-
To create an encryption key pair, use the AsymmetricEncryptionKeyService/Create gRPC API call.
Updating an encryption key pair
After creating an encryption key pair, you can change its name, description, and labels, as well as enable or disable deletion protection.
- In the management console
, select the folder with the appropriate key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- Go to the Encryption tab.
- In the line with the key pair, click
and select Edit. In the window that opens:- Change the required key pair attributes.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to update an encryption key pair:
yc kms asymmetric-encryption-key update --help
-
Get the ID of the folder with the key pair.
-
Get the ID of the required encryption key pair by specifying the folder ID:
yc kms asymmetric-encryption-key list \ --folder-id <folder_ID>
Result:
+----------------------+-----------------------+---------------------------+---------------------+--------+ | ID | NAME | ENCRYPTION ALGORITHM | CREATED AT | STATUS | +----------------------+-----------------------+---------------------------+---------------------+--------+ | abjfmo5enqlr******** | sample-encryption-key | RSA_2048_ENC_OAEP_SHA_256 | 2023-08-16 18:10:03 | ACTIVE | +----------------------+-----------------------+---------------------------+---------------------+--------+
-
Update the key pair:
yc kms asymmetric-encryption-key update \ --id <key_pair_ID> \ --new-name <new_key_pair_name> \ --deletion-protection
Where:
--id
: ID of the encryption key pair.--new-name
: New name for the key pair.--deletion-protection
: Flag to enable deletion protection. To disable the key pair deletion protection, use the--no-deletion-protection
flag.
Result:
id: abjfmo5enqlr******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T18:10:03Z" name: new-encryption-key status: ACTIVE encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256 deletion_protection: true
The command has renamed the encryption key pair and enabled its deletion protection.
To update an encryption key pair, use the AsymmetricEncryptionKeyService/Update gRPC API call.
Deleting an encryption key pair
- In the management console
, select the folder with the appropriate key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- Go to the Encryption tab.
- In the line with the key pair, click
and select Delete. - Confirm the deletion.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to delete an encryption key pair:
yc kms asymmetric-encryption-key delete --help
-
Get the ID of the folder with the key pair.
-
Get the ID of the required encryption key pair by specifying the folder ID:
yc kms asymmetric-encryption-key list \ --folder-id <folder_ID>
Result:
+----------------------+-----------------------+---------------------------+---------------------+--------+ | ID | NAME | ENCRYPTION ALGORITHM | CREATED AT | STATUS | +----------------------+-----------------------+---------------------------+---------------------+--------+ | abjfmo5enqlr******** | sample-encryption-key | RSA_2048_ENC_OAEP_SHA_256 | 2023-08-16 18:10:03 | ACTIVE | +----------------------+-----------------------+---------------------------+---------------------+--------+
-
Delete the key pair by specifying its ID:
yc kms asymmetric-encryption-key delete \ --id <key_pair_ID>
Result:
id: abjfmo5enqlr******** folder_id: b1gt6g8ht345******** created_at: "2023-08-16T18:10:03Z" name: new-encryption-key encryption_algorithm: RSA_2048_ENC_OAEP_SHA_256
To delete an encryption key pair, use the AsymmetricEncryptionKeyService/Delete gRPC API call.