Encrypting data using the Yandex Cloud SDK
You can use Yandex Key Management Service with the Yandex Cloud SDK. The SDK is available for Java, Go, Python, and Node.js.
The Yandex Cloud SDK is most convenient for encrypting small amounts of data (the limit on the size of plaintext is 32 KB). To encrypt larger amounts of data, we recommend using the AWS Encryption SDK or Google Tink. They encrypt data using envelope encryption.
Adding dependencies
Before you start, you need to add dependencies.
Add dependencies using Apache Maven:
<dependency>
<groupId>com.yandex.cloud</groupId>
<artifactId>java-sdk-services</artifactId>
<version>2.4.2</version>
</dependency>
Install the SDK:
go get github.com/yandex-cloud/go-sdk
Authentication
You can authenticate using:
Authentication using the service account linked to the Yandex Cloud VM
Get authenticated using the service account linked to the VM:
CredentialProvider credentialProvider = Auth.computeEngineBuilder().build();
Authenticate using the service account linked to the VM:
credentials := ycsdk.InstanceServiceAccount()
Authentication using any service account
key.json must contain the authorized service account key. For information on how to create an authorized key, see Creating an authorized key.
Authenticate using any service account:
CredentialProvider credentialProvider = Auth.apiKeyBuilder().fromFile(Paths.get("key.json")).build();
Authenticate using any service account:
authorizedKey, err := iamkey.ReadFromJSONFile("key.json")
if err != nil {...}
credentials, err := ycsdk.ServiceAccountKey(authorizedKey)
if err != nil {...}
Authentication using a Yandex account
The token variable is your OAuth token.
Authenticate using a Yandex account:
CredentialProvider credentialProvider = Auth.oauthTokenBuilder().build();
Authenticate using a Yandex account:
credentials := ycsdk.OAuthToken(token)
Data encryption and decryption
Note
Changes caused by eventually consistent operations require up to three hours to become encryptable and decryptable.
Use the encrypt and decrypt methods to encrypt and decrypt data. The code uses the following variables:
endpoint:api.cloud.yandex.net:443.keyId: ID of the KMS key.plaintext: Plain text (no more than 32 KB).ciphertext: Ciphertext.aad: AAD context.
SymmetricCryptoServiceBlockingStub symmetricCryptoService = ServiceFactory.builder()
.endpoint(endpoint)
.credentialProvider(credentialProvider)
.build()
.create(
SymmetricCryptoServiceBlockingStub.class,
SymmetricCryptoServiceGrpc::newBlockingStub
);
...
byte[] ciphertext = symmetricCryptoService.encrypt(SymmetricEncryptRequest.newBuilder()
.setKeyId(keyId)
.setPlaintext(ByteString.copyFrom(plaintext))
.setAadContext(ByteString.copyFrom(aad))
.build()
).getCiphertext().toByteArray();
...
byte[] plaintext = symmetricCryptoService.decrypt(SymmetricDecryptRequest.newBuilder()
.setKeyId(keyId)
.setCiphertext(ByteString.copyFrom(ciphertext))
.setAadContext(ByteString.copyFrom(aad))
.build()
).getPlaintext().toByteArray();
sdk, err := ycsdk.Build(context, ycsdk.Config{
Endpoint: endpoint,
Credentials: credentials,
})
if err != nil {...}
...
response, err := sdk.KMSCrypto().SymmetricCrypto().Encrypt(context, &kms.SymmetricEncryptRequest{
KeyId: keyId,
Plaintext: plaintext,
AadContext: aad,
})
if err != nil {...}
ciphertext := response.Ciphertext
...
response, err := sdk.KMSCrypto().SymmetricCrypto().Decrypt(context, &kms.SymmetricDecryptRequest{
KeyId: keyId,
Ciphertext: ciphertext,
AadContext: aad,
})
if err != nil {...}
plaintext := response.Plaintext