Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Encrypting data using the Yandex Cloud CLI and API

Written by
Updated at November 5, 2025

In Yandex Key Management Service, you can encrypt and decrypt small amounts of data (up to 32 KB). For more information about the available encryption methods, see Which encryption method should I choose?.

Getting started

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

Encrypt data

Note

Changes caused by eventually consistent operations require up to three hours to become encryptable.

This command will encrypt the plain text provided in --plaintext-file and write the resulting ciphertext to --ciphertext-file:

  • --id: ID of the KMS key. Make sure you set either the --id or --name flag.
  • --name: Name of the KMS key. Make sure you set either the --id or --name flag.
  • --version-id (optional): Version of the KMS key to use for encryption. The primary version is used by default.
  • --plaintext-file: Input plaintext file.
  • --aad-context-file (optional): Input file with AAD context.
  • --ciphertext-file: Output file with ciphertext.
yc kms symmetric-crypto encrypt \
  --id abj76v82fics******** \
  --plaintext-file plaintext-file \
  --ciphertext-file ciphertext-file

To encrypt data, use the encrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Encrypt gRPC API call.

Decrypt data

Note

Changes caused by eventually consistent operations require up to three hours to become decryptable.

This command will decrypt the ciphertext provided in --ciphertext-file and write the resulting plain text to --plaintext-file:

  • --id: ID of the KMS key. Make sure you set either the --id or --name flag.
  • --name: Name of the KMS key. Make sure you set either the --id or --name flag.
  • --ciphertext-file: Input plaintext file.
  • --aad-context-file (optional): Input file with AAD context.
  • --plaintext-file: Output file with ciphertext.
yc kms symmetric-crypto decrypt \
  --id abj76v82fics******** \
  --ciphertext-file ciphertext-file \
  --plaintext-file decrypted-file

To decrypt data, use the decrypt REST API method for the SymmetricCrypto resource or the SymmetricCryptoService/Decrypt gRPC API call.

See also

Previous
Which encryption method should I choose?
Next
Encrypting data using the Yandex Cloud SDK