Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Bucket encryption

Written by
Updated at November 5, 2024

In Object Storage, you can encrypt objects in a bucket using KMS keys:

Alert

Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as destroying all data encrypted with that key.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt, and upload objects.
  • kms.keys.decrypter: To read the key, decrypt, and download objects.
  • kms.keys.encrypterDecrypter: Includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

Adding encryption to a bucket

To add a KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure the encryption for.

  2. In the left-hand panel, select Security.

  3. Select the Encryption tab.

  4. In the KMS Key field, select an existing key or create a new one:

    1. If the folder does not contain any keys yet, click Create key. If there are keys but they are not suitable, click Create new key.
    2. Enter a name for the key.
    3. Select an encryption algorithm and a rotation period.
    4. Click Create.

  5. Click Save.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To get started, obtain an IAM token for your service account and save it to a file.

  1. In the configuration file, describe the parameters of the resources you want to create:

    provider "yandex" {
  cloud_id                 = "<cloud_ID>"
  folder_id                = "<folder_ID>"
  zone                     = "ru-central1-a"
  service_account_key_file = "key.json"
  }

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

resource "yandex_kms_symmetric_key" "key-a" {
  name              = "<key_name>"
  description       = "<key_description>"
  default_algorithm = "AES_128"
  rotation_period   = "8760h" // 1 year
}

resource "yandex_storage_bucket" "test" {
  bucket     = "<bucket_name>"
  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = yandex_kms_symmetric_key.key-a.id
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

    Where:

    • service_account_key_file: Path to file with your service account's IAM token (or the file contents).
    • default_algorithm: Encryption algorithm to be used with a new key version. A new version, generated at the next key rotation. The default value is AES_128.
    • rotation_period: Rotation period. To disable automatic rotation, omit this parameter.
    • apply_server_side_encryption_by_default: Default encryption settings on the server side:
      • kms_master_key_id: ID of the KMS master key used for encryption.
      • sse_algorithm: Encryption algorithm used on the server side. The only supported value is aws:kms.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.
    2. Run a check using this command: 
      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:
    terraform apply
    1. Confirm that you want to create the resources.

    All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console.

Removing bucket encryption

To remove encryption, delete the KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to disable encryption for.
  2. In the left-hand panel, select Security.
  3. Select the Encryption tab.
  4. In the KMS Key field, select Not selected.
  5. Click Save.

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To disable encryption for a bucket created using Terraform:

  1. Open the Terraform configuration file and delete the server_side_encryption_configuration section from the bucket description.

    Example bucket description in a Terraform configuration
    ...
resource "yandex_storage_bucket" "test" {
  bucket     = "my-bucket"
  access_key = "123JE02jKxusn********"
  secret_key = "ExamP1eSecReTKeykdo********"
  server_side_encryption_configuration { // Delete this section to disable encryption
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "abjbeb2bgg4l********"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
...

  2. In the command line, go to the directory with the Terraform configuration file.

  3. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    You can check the changes in the management console.

See also

Previous
Limiting the maximum size of a bucket
Next
Managing object lifecycles