Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Bucket encryption

Written by
Improved by
Updated at April 22, 2025

In Object Storage, you can encrypt objects in a bucket using KMS keys in any of the following ways:

Alert

Object Storage employs envelope encryption to secure data. Deleting a key is the same as deleting all data encrypted with that key.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

Setting up encryption for a bucket

To add a KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to set up encryption for.

  2. In the left-hand panel, select Security.

  3. Select the Encryption tab.

  4. In the KMS Key field, select an existing key or create a new one:

    1. If the folder does not contain any keys yet, click Create key. If the folder contains keys but they are not suitable, click Create.
    2. Enter a name for the key.
    3. Select an encryption algorithm and a rotation period.
    4. Click Create.

  5. Click Save.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Before you start, get an IAM token for your service account and save it to a file.

  1. In the configuration file, define the parameters of the resources you want to create:

    provider "yandex" {
  cloud_id                 = "<cloud_ID>"
  folder_id                = "<folder_ID>"
  zone                     = "ru-central1-a"
  service_account_key_file = "key.json"
}

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

resource "yandex_kms_symmetric_key" "key-a" {
  name              = "<key_name>"
  description       = "<key_description>"
  default_algorithm = "AES_128"
  rotation_period   = "8760h" // 1 year
}

resource "yandex_storage_bucket" "test" {
  bucket     = "<bucket_name>"
  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = yandex_kms_symmetric_key.key-a.id
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

    Where:

    • service_account_key_file: Path to the file with your service account's IAM token (or the file contents).
    • default_algorithm: Encryption algorithm to use with a new key version. A new version of the key is generated with each key rotation. The default value is AES_128.
    • rotation_period: Rotation period. To disable automatic rotation, skip this parameter.
    • apply_server_side_encryption_by_default: Default encryption settings on the server side:
      • kms_master_key_id: ID of the KMS master key used for encryption.
      • sse_algorithm: Encryption algorithm used on the server side. The only supported value is aws:kms.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.
    2. Run a check using this command: 
      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:
    terraform apply
    1. Confirm creating the resources.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

Removing bucket encryption

To remove encryption, delete the KMS key:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to remove encryption for.
  2. In the left-hand panel, select Security.
  3. Select the Encryption tab.
  4. In the KMS Key field, select Not selected.
  5. Click Save.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To remove encryption for a bucket created using Terraform:

  1. Open the Terraform configuration file and delete the server_side_encryption_configuration section from the bucket description.

    Example of a bucket description in Terraform configuration
    ...
resource "yandex_storage_bucket" "test" {
  bucket     = "my-bucket"
  access_key = "123JE02jKxusn********"
  secret_key = "ExamP1eSecReTKeykdo********"
  server_side_encryption_configuration { // Delete this section to disable encryption
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "abjbeb2bgg4l********"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
...

  2. In the command line, go to the directory with the Terraform configuration file.

  3. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    You can check the update using the management console.

See also

Previous
Limiting the maximum size of a bucket
Next
Managing object lifecycles