Symmetric data encryption
In this section, you will learn how to use KMS to encrypt and decrypt small-sized data (up to 32 KB) in symmetric encryption mode using the CLI, Terraform, and API. For more information about the available encryption methods, see Which encryption method should I choose?.
Getting started
If you do not have the Yandex Cloud CLI yet, install and initialize it.
Encrypt data
Note
Changes caused by eventually consistent operations require up to three hours to become encryptable.
This command will encrypt the plain text provided in --plaintext-file and write the resulting ciphertext to --ciphertext-file:
--id: ID of the KMS key. Make sure you set either the--idor--nameflag.--name: Name of the KMS key. Make sure you set either the--idor--nameflag.--version-id(optional): Version of the KMS key to use for encryption. The primary version is used by default.--plaintext-file: Input plaintext file.--aad-context-file(optional): Input file with AAD context.--ciphertext-file: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
--id abj76v82fics******** \
--plaintext-file plaintext-file \
--ciphertext-file ciphertext-file
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the guides on the Terraform
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.
To encrypt data:
-
In the configuration file, describe the parameters of the
yandex_kms_secret_ciphertextresource and specify the KMS key in thekey_idfield:resource "yandex_kms_secret_ciphertext" "password" { key_id = "<key_ID>" aad_context = "additional authenticated data" plaintext = "strong password" }Where:
key_id: KMS key ID.aad_context: AAD context.plaintext: String to encrypt.
Warning
With
yandex_kms_secret_ciphertext, you can hide secrets when deploying an infrastructure, but generally speaking it is unsafe to specifyplaintextandaad_contextin the configuration file in plain text. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.For more information about resource properties in Terraform, see this provider guide.
-
Validate your configuration using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.After this, you can access the ciphertext through the
ciphertextvariable, and the encrypted data, throughplaintext.For verification, you can add the following code with the
decrypted_passoutput variable to the configuration file.Alert
This is not safe and can only be used for testing.
output "decrypted_pass" { sensitive = true value = yandex_kms_secret_ciphertext.password.plaintext }After updating the configuration, you can check the encrypted data using the command:
terraform output decrypted_passResult:
"strong password"
To encrypt data, use the encrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Encrypt gRPC API call.
For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.
For information about how to encrypt and decrypt data using the AWS Encryption SDK
For information about how to encrypt and decrypt data using Google Tink
Decrypt data
Note
Changes caused by eventually consistent operations require up to three hours to become decryptable.
This command will decrypt the ciphertext provided in --ciphertext-file and write the resulting plain text to --plaintext-file:
--id: ID of the KMS key. Make sure you set either the--idor--nameflag.--name: Name of the KMS key. Make sure you set either the--idor--nameflag.--ciphertext-file: Input file with ciphertext.--aad-context-file(optional): Input file with AAD context.--plaintext-file: Output plaintext file.
yc kms symmetric-crypto decrypt \
--id abj76v82fics******** \
--ciphertext-file ciphertext-file \
--plaintext-file decrypted-file
To decrypt data, use the decrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Decrypt gRPC API call.
For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.
For information about how to encrypt and decrypt data using the AWS Encryption SDK
For information about how to encrypt and decrypt data using Google Tink
Change the data encryption key
Note
Changes triggered by eventually consistent operations allow an encryption key change after as much as three hours.
This command will decrypt the ciphertext from --source-ciphertext-file, re-encrypt it with a different key or a different version of the source key, and then write the resulting ciphertext to --ciphertext-file.
-
--idor--name: ID or name of the new KMS key for re-encryption.Note
-
To use a different key, specify the
--idor--nameflag. -
To only change the key version, skip both
--idand--name.
-
-
--version-id(optional): Version of the KMS key to use for encryption. The primary version is used by default. -
--aad-context-file(optional): Output file with AAD context. -
--ciphertext-file: Output file with ciphertext. -
--source-key-id: ID of the Key Management Service encryption key used for source text encryption. -
--source-aad-context-file(optional): Input file with AAD context. -
--source-ciphertext-file: Input file with ciphertext.
yc kms symmetric-crypto reencrypt \
--id <key_ID> \
--ciphertext-file ciphertext-file
--source-key-id <source_key_ID> \
--source-ciphertext-file source-ciphertext-file
To change the data encryption key or its version, use the reEncrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/ReEncrypt gRPC API call.