Encrypting data using the Yandex Cloud SDK
You can use Key Management Service with the Yandex Cloud SDK. The SDK is available for Java, Go, Python, and Node.js.
The Yandex Cloud SDK is most convenient for encrypting small amounts of data (the limit on the size of plaintext is 32 KB). To encrypt larger amounts of data, we recommend using the AWS Encryption SDK or Google Tink. They encrypt data using envelope encryption.
Adding dependencies
Before you start, you need to add dependencies.
Add dependencies using Apache Maven:
<dependency>
<groupId>com.yandex.cloud</groupId>
<artifactId>java-sdk-services</artifactId>
<version>2.4.2</version>
</dependency>
Install the SDK:
go get github.com/yandex-cloud/go-sdk
Authentication
You can authenticate using:
Authentication using the service account linked to the Yandex Cloud VM
Get authenticated using the service account linked to the VM:
CredentialProvider credentialProvider = Auth.computeEngineBuilder().build();
Authenticate using the service account linked to the VM:
credentials := ycsdk.InstanceServiceAccount()
Authentication using any service account
The key.json file must contain an authorized key for the service account. For information about how to create authorized keys, see Creating authorized keys.
Authenticate using any service account:
CredentialProvider credentialProvider = Auth.apiKeyBuilder().fromFile(Paths.get("key.json")).build();
Authenticate using any service account:
authorizedKey, err := iamkey.ReadFromJSONFile("key.json")
if err != nil {...}
credentials, err := ycsdk.ServiceAccountKey(authorizedKey)
if err != nil {...}
Authentication using a Yandex account
The token variable is your OAuth token.
Authenticate using a Yandex account:
CredentialProvider credentialProvider = Auth.oauthTokenBuilder().build();
Authenticate using a Yandex account:
credentials := ycsdk.OAuthToken(token)
Data encryption and decryption
Use the encrypt and decrypt methods to encrypt and decrypt data. The code uses the following variables:
endpoint:api.cloud.yandex.net:443keyId: ID of the KMS keyplaintext: Unencrypted text (no more than 32 KB)ciphertext: Encrypted textaad: AAD context
SymmetricCryptoServiceBlockingStub symmetricCryptoService = ServiceFactory.builder()
.endpoint(endpoint)
.credentialProvider(credentialProvider)
.build()
.create(
SymmetricCryptoServiceBlockingStub.class,
SymmetricCryptoServiceGrpc::newBlockingStub
);
...
byte[] ciphertext = symmetricCryptoService.encrypt(SymmetricEncryptRequest.newBuilder()
.setKeyId(keyId)
.setPlaintext(ByteString.copyFrom(plaintext))
.setAadContext(ByteString.copyFrom(aad))
.build()
).getCiphertext().toByteArray();
...
byte[] plaintext = symmetricCryptoService.decrypt(SymmetricDecryptRequest.newBuilder()
.setKeyId(keyId)
.setCiphertext(ByteString.copyFrom(ciphertext))
.setAadContext(ByteString.copyFrom(aad))
.build()
).getPlaintext().toByteArray();
sdk, err := ycsdk.Build(context, ycsdk.Config{
Endpoint: endpoint,
Credentials: credentials,
})
if err != nil {...}
...
response, err := sdk.KMSCrypto().SymmetricCrypto().Encrypt(context, &kms.SymmetricEncryptRequest{
KeyId: keyId,
Plaintext: plaintext,
AadContext: aad,
})
if err != nil {...}
ciphertext := response.Ciphertext
...
response, err := sdk.KMSCrypto().SymmetricCrypto().Decrypt(context, &kms.SymmetricDecryptRequest{
KeyId: keyId,
Ciphertext: ciphertext,
AadContext: aad,
})
if err != nil {...}
plaintext := response.Plaintext