Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Key Management Service
  • Getting started
    • All guides
      • Key
      • Key version
      • Data encryption
      • Encryption key access permissions
    • Viewing operations with resources
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • Getting started
  • Encrypt data
  • Decrypt data
  1. Step-by-step guides
  2. Symmetric encryption
  3. Data encryption

Symmetric data encryption

Written by
Yandex Cloud
Updated at April 22, 2025
  • Getting started
  • Encrypt data
  • Decrypt data

In this section, you will learn how to use KMS to encrypt and decrypt small-sized data (up to 32 KB) in symmetric encryption mode using the CLI and API. For more information about the available encryption methods, see Which encryption method should I choose?.

Getting startedGetting started

If you do not have the Yandex Cloud CLI yet, install and initialize it.

Encrypt dataEncrypt data

CLI
Terraform
API
Yandex Cloud SDK
AWS Encryption SDK
Google Tink

This command will encrypt the plain text provided in --plaintext-file and write the resulting ciphertext to --ciphertext-file:

  • --id: ID of the KMS key. Make sure you set either the --id or --name flag.
  • --name: Name of the KMS key. Make sure you set either the --id or --name flag.
  • --version-id (optional): Version of the KMS key to use for encryption. The primary version is used by default.
  • --plaintext-file: Input plaintext file.
  • --aad-context-file (optional): Input file with AAD context.
  • --ciphertext-file: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
  --id abj76v82fics******** \
  --plaintext-file plaintext-file \
  --ciphertext-file ciphertext-file

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To encrypt data:

  1. In the configuration file, describe the parameters of the yandex_kms_secret_ciphertext resource and specify the KMS key in the key_id field:

    resource "yandex_kms_secret_ciphertext" "password" {
      key_id      = "<key_ID>"
      aad_context = "additional authenticated data"
      plaintext   = "strong password"
    }
    

    Where:

    • key_id: KMS key ID.
    • aad_context: (AAD context).
    • plaintext: String to be encrypted.

    Warning

    yandex_kms_secret_ciphertext enables you to hide secrets when deploying an infrastructure. However, in general, it is not safe to openly specify the plaintext and aad_context in the configuration file. Secrets can be read from configuration files or execution logs and can end up in the Terraform state.

    For more information about resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    The ciphertext can then be accessed via the ciphertext variable, and the encrypted data via the plaintext variable.

    To check, you can add the following code with the decrypted_pass output variable to the configuration file.

    Alert

    This is not safe and can only be used for testing.

    output "decrypted_pass" {
      sensitive = true
      value     = yandex_kms_secret_ciphertext.password.plaintext
    }
    

    After updating the configuration, you can check the encrypted data using the command:

    terraform output decrypted_pass
    

    Result:

    "strong password"
    

To encrypt data, use the encrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Encrypt gRPC API call.

For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

Decrypt dataDecrypt data

CLI
API
Yandex Cloud SDK
AWS Encryption SDK
Google Tink

This command will decrypt the ciphertext provided in --ciphertext-file and write the resulting plain text to --plaintext-file:

  • --id: ID of the KMS key. Make sure you set either the --id or --name flag.
  • --name: Name of the KMS key. Make sure you set either the --id or --name flag.
  • --ciphertext-file: Input file with ciphertext.
  • --aad-context-file (optional): Input file with AAD context.
  • --plaintext-file: Output plaintext file.
yc kms symmetric-crypto decrypt \
  --id abj76v82fics******** \
  --ciphertext-file ciphertext-file \
  --plaintext-file decrypted-file

To decrypt data, use the decrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Decrypt gRPC API call.

For information about how to encrypt and decrypt data using the Yandex Cloud SDK, see Encrypting data using the Yandex Cloud SDK.

For information about how to encrypt and decrypt data using the AWS Encryption SDK, see Encrypting data using the AWS Encryption SDK.

For information about how to encrypt and decrypt data using Google Tink, see Encrypting data using Google Tink.

See alsoSee also

  • Command line interface (YC CLI).
  • Symmetric encryption in Yandex Key Management Service.
  • Asymmetric encryption in Yandex Key Management Service.
  • Managing keys in KMS.
  • Encrypting secrets in Hashicorp Terraform.

Was the article helpful?

Previous
Key version
Next
Encryption key access permissions
© 2025 Direct Cursus Technology L.L.C.