Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • All tutorials
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Encrypting a bucket
      • Managing object lifecycles
      • Managing CORS configurations
      • Configuring access permissions using IAM
      • Editing a bucket's ACL
      • Managing access policies
      • Configuring public access to a bucket
      • Accessing a bucket using Security Token Service
      • Accessing a bucket using a service connection from VPC
      • Managing bucket versioning
      • Enabling logging
      • Managing object locks
      • Managing bucket labels
      • Getting bucket information and statistics
      • Viewing bucket metrics
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Setting up encryption for a bucket
  • Removing bucket encryption
  1. Step-by-step tutorials
  2. Buckets
  3. Encrypting a bucket

Bucket encryption

Written by
Yandex Cloud
Improved by
Tania L.
Updated at April 22, 2025
  • Setting up encryption for a bucket
  • Removing bucket encryption

In Object Storage, you can encrypt objects in a bucket using KMS keys in any of the following ways:

  • Set up encryption for the bucket to encrypt all new objects with the specified key.
  • Specify an encryption key when uploading an object using the API.

Alert

Object Storage employs envelope encryption to secure data. Deleting a key is the same as deleting all data encrypted with that key.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

Setting up encryption for a bucketSetting up encryption for a bucket

Management console
Terraform

To add a KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to set up encryption for.

  2. In the left-hand panel, select Security.

  3. Select the Encryption tab.

  4. In the KMS Key field, select an existing key or create a new one:

    1. If the folder does not contain any keys yet, click Create key. If the folder contains keys but they are not suitable, click Create.
    2. Enter a name for the key.
    3. Select an encryption algorithm and a rotation period.
    4. Click Create.
  5. Click Save.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Before you start, get an IAM token for your service account and save it to a file.

  1. In the configuration file, define the parameters of the resources you want to create:

    provider "yandex" {
      cloud_id                 = "<cloud_ID>"
      folder_id                = "<folder_ID>"
      zone                     = "ru-central1-a"
      service_account_key_file = "key.json"
    }
    
    resource "yandex_iam_service_account" "sa" {
      name = "<service_account_name>"
    }
    
    // Assigning a role to a service account
    resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
      folder_id = "<folder_ID>"
      role      = "storage.admin"
      member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
    }
    
    // Creating a static access key
    resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
      service_account_id = yandex_iam_service_account.sa.id
      description        = "static access key for object storage"
    }
    
    resource "yandex_kms_symmetric_key" "key-a" {
      name              = "<key_name>"
      description       = "<key_description>"
      default_algorithm = "AES_128"
      rotation_period   = "8760h" // 1 year
    }
    
    resource "yandex_storage_bucket" "test" {
      bucket     = "<bucket_name>"
      access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
      secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
      server_side_encryption_configuration {
        rule {
          apply_server_side_encryption_by_default {
            kms_master_key_id = yandex_kms_symmetric_key.key-a.id
            sse_algorithm     = "aws:kms"
          }
        }
      }
    }
    

    Where:

    • service_account_key_file: Path to the file with your service account's IAM token (or the file contents).
    • default_algorithm: Encryption algorithm to use with a new key version. A new version of the key is generated with each key rotation. The default value is AES_128.
    • rotation_period: Rotation period. To disable automatic rotation, skip this parameter.
    • apply_server_side_encryption_by_default: Default encryption settings on the server side:
      • kms_master_key_id: ID of the KMS master key used for encryption.
      • sse_algorithm: Encryption algorithm used on the server side. The only supported value is aws:kms.
  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.
    2. Run a check using this command:
      terraform plan
      

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:
    terraform apply
    
    1. Confirm creating the resources.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

Removing bucket encryptionRemoving bucket encryption

Management console
Terraform

To remove encryption, delete the KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to remove encryption for.
  2. In the left-hand panel, select Security.
  3. Select the Encryption tab.
  4. In the KMS Key field, select Not selected.
  5. Click Save.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To remove encryption for a bucket created using Terraform:

  1. Open the Terraform configuration file and delete the server_side_encryption_configuration section from the bucket description.

    Example of a bucket description in Terraform configuration
    ...
    resource "yandex_storage_bucket" "test" {
      bucket     = "my-bucket"
      access_key = "123JE02jKxusn********"
      secret_key = "ExamP1eSecReTKeykdo********"
      server_side_encryption_configuration { // Delete this section to disable encryption
        rule {
          apply_server_side_encryption_by_default {
            kms_master_key_id = "abjbeb2bgg4l********"
            sse_algorithm     = "aws:kms"
          }
        }
      }
    }
    ...
    
  2. In the command line, go to the directory with the Terraform configuration file.

  3. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  4. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply
    
  6. Confirm the changes: type yes into the terminal and press Enter.

    You can check the update using the management console.

See alsoSee also

  • Encryption in Object Storage

Was the article helpful?

Previous
Limiting the maximum size of a bucket
Next
Managing object lifecycles
© 2025 Direct Cursus Technology L.L.C.