Skip to main content
You can create symmetric and asymmetric keys in Key Management Service (KMS):
  • Create a symmetric key if you need to encrypt and decrypt data with the same key material or generate data keys for envelope encryption.
  • Create an asymmetric key if you need a public-private key pair.

Prerequisites

Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. You can check this in the Administration → IAM section of the web console.

How to create a symmetric key

Create a symmetric key: 
nebius kms symmetric-key create \
   --name <key_name> \
   --description "<key_description>" \
   --algorithm aes_256 \
   --rotation-period <period>
The command contains the following parameters:
  • --name: Name of the key.
  • --description (optional): Description of the key.
  • --algorithm: Key encryption algorithm. You can only specify the algorithm when you create a key. You can’t update it later. The only supported value is aes_256.
  • --rotation-period (optional): Period after which KMS automatically rotates the key material. When a key is rotated, KMS generates a new key version and immediately sets it as the default version. Specify the value in the NhNmNs format, for example, 24h or 48h30m10s. The minimum value is 86400s (one day) and the maximum value is 315360000s (3650 days). The default value is 7776000s (90 days).

How to create an asymmetric key

Create an asymmetric key: 
nebius kms asymmetric-key create \
   --name <key_name> \
   --description "<key_description>" \
   --algorithm <asymmetric_key_algorithm>
The command contains the following parameters:
  • --name: Name of the key.
  • --description (optional): Description of the key.
  • --algorithm: Cryptographic algorithm to use with the key. You can only specify the algorithm when you create a key. You can’t update it later. The supported values are:
    • ecdsa_nist_p256_sha_256
    • ecdsa_nist_p384_sha_384
    • rsa_4096_enc_oaep_sha_256