Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Key management

Written by
Improved by
Updated at April 22, 2025

You can use Key Management Service to create, rotate, and destroy symmetric encryption keys.

Create a key

To create a key:

  1. Log in to the management console.

  2. Select Key Management Service.

  3. In the left-hand panel, select Symmetric keys.

  4. Click Create key and set the key attributes:

    • Any name and optional description.
    • Encryption algorithm, e.g., AES-256.
    • Rotation period (how often to change key versions).
    • (Optional) Enable deletion protection.

  5. Click Create.

The key is created together with its first version: click the key in the list to open a page with its attributes.

Run this command:

yc kms symmetric-key create \
  --name example-key \
  --default-algorithm aes-256 \
  --rotation-period 24h \
  --deletion-protection

Where:

  • --name: Key name.
  • --default-algorithm: Encryption algorithm: aes-128, aes-192, or aes-256.
  • --rotation-period: Key rotation period. To create a key without automatic rotation, do not specify the --rotation-period parameter.
  • --deletion-protection: Key deletion protection. To create a key without deletion protection, do not specify the --deletion-protection parameter.

The key is created along with its first version. It is specified in the primary_version field.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To create a key:

  1. Describe the parameters of the yandex_kms_symmetric_key resource in the configuration file:

    resource "yandex_kms_symmetric_key" "key-a" {
  name                = "<key_name>"
  description         = "<key_description>"
  default_algorithm   = "AES_128"
  rotation_period     = "8760h"
  deletion_protection = true
  lifecycle {
    prevent_destroy = true
  }
}

    Where:

    • name: Key name. The name format is as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • description: Key description.

    • default_algorithm: Encryption algorithm. The possible values are AES-128, AES-192, or AES-256.

    • rotation_period: Rotation period (how often to change key versions). To create a key without automatic rotation, do not specify the rotation_period parameter.

    • deletion_protection: Key deletion protection. To create a key without deletion protection, do not specify the deletion_protection parameter.

    • lifecycle.prevent_destroy: Key deletion protection when running Terraform commands. To create a key without such protection, do not specify the lifecycle section.

    Warning

    Deleting a KMS key destroys all data encrypted with that key: the data becomes unrecoverable after the key is deleted. The deletion_protection parameter and the lifecycle section are required to prevent the deletion of the key (e.g., with the terraform destroy command).

    For more information about resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply

  5. Confirm the changes: type yes into the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resources and their configuration using the management console or these CLI commands:

    yc kms symmetric-key list

Use the create REST API method for the SymmetricKey resource or the SymmetricKeyService/Create gRPC API call.

Edit a key

After creating a key, you can change any of its attributes. If you change the encryption algorithm, the new algorithm is used starting with the next key version. To immediately create a new version and make it the default version, rotate the key.

To edit a key:

  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. In the line with the key, click and select Edit.
  5. Change the key attributes and click Save.

Run this command:

yc kms symmetric-key update \
  --name example-key \
  --new-name example-key-2 \
  --default-algorithm aes-128 \
  --rotation-period 48h \
  --deletion-protection

Where:

  • --name: Key name. If there are multiple keys with the same name in the folder, use the key ID.
  • --new-name: New key name.
  • --default-algorithm: Encryption algorithm: aes-128, aes-192, or aes-256.
  • --rotation-period: Key rotation period. To disable automatic rotation for an updated key, do not specify the --rotation-period parameter.
  • --deletion-protection: Key deletion protection. To disable deletion protection, specify the --no-deletion-protection parameter.

To edit a key:

  1. Open the Terraform configuration file and change the required parameters of the yandex_kms_symmetric_key resource.

    Here is an example of the configuration file structure:

    ...
resource "yandex_kms_symmetric_key" "key-a" {
  name                = "example-symmetric-key"
  description         = "description for key"
  default_algorithm   = "AES_128"
  rotation_period     = "8760h"
  deletion_protection = true
}
...

    For more information about the yandex_kms_symmetric_key resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply

  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the key update using the management console or this CLI command:

    yc kms symmetric-key get <key_name>

Use the update REST API method for the SymmetricKey resource or the SymmetricKeyService/Update gRPC API call.

Rotate a key

When a key is rotated, a new version is generated and immediately set as the default version. You can set up automatic rotation, but you can also rotate a key manually at any time.

To rotate a key:

  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. In the line with the key, click and select Rotate.
  5. Confirm the rotation (make sure that changing the default version will not affect your work).

Run the command with the key ID or name specified:

yc kms symmetric-key rotate example-key

Use the rotate REST API method for the SymmetricKey resource or the SymmetricKeyService/Rotate gRPC API call.

Destroy a key

By destroying a key you also destroy all its versions. You cannot delete a key right away: the versions of a key marked for deletion change their status to Scheduled For Destruction for 3 days. During this time, your account will continue to be charged for these key versions. Before the 3 days expire, you can request technical support to restore a key and its versions.

Alert

3 days after the key is requested to be destroyed, the key and its versions are permanently destroyed: if you still have any data encrypted with this key, you cannot decrypt the data.

If key deletion protection is enabled, disable it first.

To destroy a key:

  1. Log in to the management console.
  2. Select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. In the line with the key, click and select Delete.
  5. In the window that opens, click Delete.

Run the command with the key ID or name specified:

yc kms symmetric-key delete example-key

To delete a key created with Terraform:

  1. Open the Terraform configuration file and delete the fragment with the key description.

    Example key description in the Terraform configuration:

    ...
resource "yandex_kms_symmetric_key" "key-a" {
  name              = "example-symmetric-key"
  description       = "description for key"
  default_algorithm = "AES_128"
  rotation_period   = "8760h"
}
...

  2. In the command line, go to the directory with the Terraform configuration file.

  3. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    You can check the update using the management console or this CLI command:

    yc kms symmetric-key list

Use the delete REST API method for the SymmetricKey resource or the SymmetricKeyService/Delete gRPC API call.

See also

Previous
All guides
Next
Key version