Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Bucket encryption

Written by
Improved by
Updated at May 6, 2026

In Object Storage, you can encrypt objects in a bucket using KMS keys in any of the following ways:

Alert

Object Storage employs envelope encryption to secure data. Deleting a key is the same as deleting all data encrypted with that key.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

Setting up encryption for a bucket

To add a KMS key:

  1. In the management console, select any folder.

  2. Navigate to Object Storage.

  3. Select the bucket you want to configure encryption for.

  4. In the left-hand panel, select Security.

  5. Select the Encryption tab.

  6. In the KMS Key field, select an existing key or create a new one:

    1. If the folder does not contain any keys yet, click Create key. If the folder contains keys but they are not suitable, click Create.
    2. Enter a name for the key.
    3. Select an encryption algorithm and a rotation period.
    4. Click Create.

  7. Click Save.

Note

If you access Object Storage via Terraform under a service account, assign to the service account the relevant role, e.g., storage.admin, for the folder you are going to create the resources in.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Before you start, get an IAM token for your service account and save it to a file.

  1. In the configuration file, describe the resources you want to create:

    provider "yandex" {
  cloud_id                 = "<cloud_ID>"
  folder_id                = "<folder_ID>"
  zone                     = "ru-central1-a"
  service_account_key_file = "key.json"
}

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

resource "yandex_kms_symmetric_key" "key-a" {
  name              = "<key_name>"
  description       = "<key_description>"
  default_algorithm = "AES_128"
  rotation_period   = "8760h" // 1 year
}

resource "yandex_storage_bucket" "test" {
  bucket     = "<bucket_name>"
  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = yandex_kms_symmetric_key.key-a.id
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

    Where:

    • service_account_key_file: Path to the file with your service account's IAM token (or the file contents).
    • default_algorithm: Encryption algorithm to use with a new key version. A new version of the key is generated with each key rotation. The default value is AES_128.
    • rotation_period: Rotation period. To disable automatic rotation, skip this parameter.
    • apply_server_side_encryption_by_default: Default encryption settings on the server side:
      • kms_master_key_id: ID of the KMS master key used for encryption.
      • sse_algorithm: Encryption algorithm used on the server side. The only supported value is aws:kms.

    For more information about the yandex_storage_bucket properties in Terraform, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

Removing bucket encryption

To remove encryption, delete the KMS key:

  1. In the management console, select any folder.
  2. Navigate to Object Storage.
  3. Select the bucket you want to remove encryption for.
  4. In the left-hand panel, select Security.
  5. Select the Encryption tab.
  6. In the KMS Key field, select Not selected.
  7. Click Save.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To remove encryption for a bucket created using Terraform:

  1. Open the Terraform configuration file and delete the server_side_encryption_configuration section from the bucket description.

    Example of a bucket description in Terraform configuration
    ...
resource "yandex_storage_bucket" "test" {
  bucket     = "my-bucket"
  access_key = "123JE02jKxusn********"
  secret_key = "ExamP1eSecReTKeykdo********"
  server_side_encryption_configuration { // Delete this section to disable encryption
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "abjbeb2bgg4l********"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
...

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

See also

Previous
Limiting the maximum size of a bucket
Next
Managing object lifecycles