Encryption in Object Storage
When using Yandex Object Storage, you have to make sure to encrypt critical data.
We recommend encrypting Object Storage buckets using Yandex Key Management Service keys (server-side encryption). This encryption method protects against accidental or intentional publication of the bucket content on the web.
Alert
Data in Object Storage is encrypted using envelope encryption, meaning that deleting a key is the same as destroying all data encrypted with that key.
Server-side encryption is performed using keys stored in Key Management Service. The created KMS key is specified in the bucket settings. It will be used for encrypting all new objects or when uploading an object via the API.
Objects are encrypted before you save them to a bucket and decrypted when you download them from the bucket. By default, encryption applies to all new objects, while previously uploaded ones remain unchanged.
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer
role:
kms.keys.encrypter
: To read the key, encrypt, and upload objects.kms.keys.decrypter
: To read the key, decrypt, and download objects.kms.keys.encrypterDecrypter
: Includes thekms.keys.encrypter
andkms.keys.decrypter
permissions.
For more information, see Key Management Service service roles.
In addition to Key Management Service key-based encryption, you can also use the following approaches:
- Integrating Object Storage with Key Management Service for client-side encryption. For more information, see 4. Data encryption and key and secret management.
- Using third-party client-side encryption libraries prior to sending data to Object Storage. If you use third-party data encryption libraries and your own key management methods, make sure your operation model, algorithms, and key sizes comply with regulatory requirements.