Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing digital signature key pairs

Written by
Updated at May 13, 2025

You can use Key Management Service to create, update, and destroy digital signature key pairs.

Creating digital signature key pairs

To create a digital signature key pair:

  1. In the management console, select the folder to create your key pair in.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. In the top-right corner, click Create key. In the window that opens:
    1. Enter a name and an optional description.
    2. In the Type field, select Signature.
    3. In the Algorithm field, select the appropriate signature algorithm.
    4. Enable deletion protection if required.
    5. Click Create.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to create a digital signature key pair:

    yc kms asymmetric-signature-key create --help

  2. Get the ID of the folder to create the key pair in.

  3. Create your digital signature key pair:

    yc kms asymmetric-signature-key create \
  --name <key_pair_name> \
  --folder-id <folder_ID> \
  --signature-algorithm <signature_algorithm>

    Where:

    • --name: Name of the digital signature key pair.

    • --folder-id: ID of the folder where the key pair will be created.

    • --signature-algorithm: Digital signature algorithm. The following ECDSA and RSA algorithms are available:

      • rsa-2048-sign-pss-sha-256
      • rsa-2048-sign-pss-sha-384
      • rsa-2048-sign-pss-sha-512
      • rsa-3072-sign-pss-sha-256
      • rsa-3072-sign-pss-sha-384
      • rsa-3072-sign-pss-sha-512
      • rsa-4096-sign-pss-sha-256
      • rsa-4096-sign-pss-sha-384
      • rsa-4096-sign-pss-sha-512
      • ecdsa-nist-p256-sha-256
      • ecdsa-nist-p384-sha-384
      • ecdsa-nist-p521-sha-512
      • ecdsa-secp256-k1-sha-256

    Result:

    id: abj9g2dil5sj********
folder_id: b1gt6g8ht345********
created_at: "2023-08-16T09:06:57Z"
name: sample-signature-key
status: ACTIVE
signature_algorithm: RSA_2048_SIGN_PSS_SHA_512

Updating digital signature key pairs

After creating a key pair, you can change its name, description, and labels, as well as enable or disable deletion protection.

To update a digital signature key pair:

  1. In the management console, select the folder with the appropriate key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. Go to the Signature tab.
  5. In the row with the appropriate key pair, click and select Edit. In the window that opens:
    1. Change the required key pair attributes.
    2. Click Save.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to update a digital signature key pair:

    yc kms asymmetric-signature-key update --help

  2. Get the ID of the folder with the key pair.

  3. Get the ID of the required digital signature key pair by specifying the folder ID:

    yc kms asymmetric-signature-key list \
  --folder-id <folder_ID>

    Result:

    +----------------------+----------------------+---------------------------+---------------------+--------+
|          ID          |         NAME         |    SIGNATURE ALGORITHM    |     CREATED AT      | STATUS |
+----------------------+----------------------+---------------------------+---------------------+--------+
| abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE |
+----------------------+----------------------+---------------------------+---------------------+--------+

  4. Update the digital signature key pair:

    yc kms asymmetric-signature-key update \
  --id <key_pair_ID> \
  --new-name <new_key_pair_name> \
  --deletion-protection

    Where:

    • --id: ID of the digital signature key pair.
    • --new-name: New name for the key pair.
    • --deletion-protection: Flag to enable deletion protection. To disable the key pair deletion protection, use the --no-deletion-protection flag.

    Result:

    id: abj9g2dil5sj********
folder_id: b1gt6g8ht345********
created_at: "2023-08-16T09:06:57Z"
name: sample-new-key
status: ACTIVE
signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
deletion_protection: true

    The command renamed the digital signature key pair and enabled its deletion protection.

Deleting a digital signature key pair

To delete a digital signature key pair:

  1. In the management console, select the folder with the appropriate key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. Go to the Signature tab.
  5. In the row with the appropriate key pair, click and select Delete.
  6. Confirm the deletion.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to delete a signature key pair:

    yc kms asymmetric-signature-key delete --help

  2. Get the ID of the folder with the key pair.

  3. Get the ID of the required digital signature key pair by specifying the folder ID:

    yc kms asymmetric-signature-key list \
  --folder-id <folder_ID>

    Result:

    +----------------------+----------------------+---------------------------+---------------------+--------+
|          ID          |         NAME         |    SIGNATURE ALGORITHM    |     CREATED AT      | STATUS |
+----------------------+----------------------+---------------------------+---------------------+--------+
| abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE |
+----------------------+----------------------+---------------------------+---------------------+--------+

  4. Delete the digital signature key pair by specifying its ID:

    yc kms asymmetric-signature-key delete \
  --id <key_pair_ID>

    Result:

    done (1s)
id: abj9g2dil5sj********
folder_id: b1gt6g8ht345********
created_at: "2023-08-16T09:06:57Z"
name: sample-new-key
signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
Previous
Access permissions for an asymmetric key pair
Next
Access permissions for a digital signature key pair