Encryption in Object Storage

When using Yandex Object Storage, you have to make sure to encrypt critical data.

We recommend encrypting Object Storage buckets using Yandex Key Management Service keys (server-side encryption) to protect against accidental or intentional publication of the bucket contents on the web.

Server-side encryption requires keys stored in Key Management Service. You should specify the created KMS key in the bucket settings. It will be used for encrypting all new objects or when uploading an object via the API.

Objects are encrypted before you save them to a bucket and decrypted when you download them from the bucket. By default, encryption applies to all new objects, while previously uploaded ones remain unchanged.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

• kms.keys.encrypter: To read the key, encrypt and upload objects.
• kms.keys.decrypter: To read the key, decrypt and download objects.
• kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

In addition to Key Management Service key-based encryption, you can also use the following approaches:

• Integrating Object Storage with Key Management Service for client-side encryption. For more information, see Requirements for data encryption and key and secret management.
• Using third-party client-side encryption libraries prior to sending data to Object Storage. If you use third-party data encryption libraries and your own key management methods, make sure your operation scheme, algorithms, and key lengths comply with regulatory requirements.

Use casesUse cases

• Server-side encryption
• Using a Yandex Lockbox secret to store a static access key
• Uploading audit logs to ArcSight SIEM
• Exporting audit logs to SIEM Splunk systems

See alsoSee also

• Bucket encryption
• Key management