Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • Overview
    • Bucket
    • Object
    • Bucket versioning
    • Object lock
    • Partial object updates
    • Encryption
    • Object lifecycles
    • CORS
    • Hosting static websites
    • Pre-signed URLs
    • Multipart upload
    • Access control list (ACL)
    • Bucket policy
    • Uploading files via an HTML form
    • Storage class
    • Bucket actions logging mechanism
    • Backups
    • TLS protocol
    • Labels
    • S3 Select query language
    • Quotas and limits
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ
  1. Concepts
  2. Encryption

Encryption in Object Storage

Written by
Yandex Cloud
Updated at April 18, 2025

When using Yandex Object Storage, you have to make sure to encrypt critical data.

We recommend encrypting Object Storage buckets using Yandex Key Management Service keys (server-side encryption) to protect against accidental or intentional publication of the bucket contents on the web.

Alert

Data in Object Storage is encrypted using envelope encryption, thus, deleting a key is the same as destroying all data encrypted with that key.

Server-side encryption requires keys stored in Key Management Service. You should specify the created KMS key in the bucket settings. It will be used for encrypting all new objects or when uploading an object via the API.

Objects are encrypted before you save them to a bucket and decrypted when you download them from the bucket. By default, encryption applies to all new objects, while previously uploaded ones remain unchanged.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

In addition to Key Management Service key-based encryption, you can also use the following approaches:

  • Integrating Object Storage with Key Management Service for client-side encryption. For more information, see Requirements for data encryption and key and secret management.
  • Using third-party client-side encryption libraries prior to sending data to Object Storage. If you use third-party data encryption libraries and your own key management methods, make sure your operation scheme, algorithms, and key lengths comply with regulatory requirements.

Use casesUse cases

  • Server-side encryption
  • Using a Yandex Lockbox secret to store a static access key
  • Uploading audit logs to ArcSight SIEM
  • Exporting audit logs to SIEM Splunk systems

See alsoSee also

  • Bucket encryption
  • Key management

Was the article helpful?

Previous
Partial object updates
Next
Object lifecycles
© 2025 Direct Cursus Technology L.L.C.