Getting started with Key Management Service: Use symmetric keys for encryption

Key Management Service (KMS) lets you create symmetric keys that use the same key material for encryption and decryption. The example below shows how to create your first symmetric key, encrypt sample data and decrypt it.

Prerequisites

You can create symmetric keys in any Nebius AI Cloud interface, but to encrypt and decrypt data, use the Nebius AI Cloud CLI.

Install and configure the Nebius AI Cloud CLI.
Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. You can check this in the Administration → IAM section of the web console.

Steps

Create a symmetric key

Web console
CLI

In the web console, go to Cryptography → KMS.
Click Create key.
On the key creation page:
- In the Name field, enter my-symmetric-key.
- In the Type field, preserve Symmetric key.
Click Create key.

This creates a symmetric key with the AES_256_GCM algorithm and the default rotation period of three months.You need the key ID to encrypt and decrypt data. In the list of symmetric keys, click

next to the key ID of the key you created, then save the copied value to the KEY_ID environment variable:

export KEY_ID=<key_ID>

Create a symmetric key:

export KEY_ID=$(nebius kms symmetric-key create \
  --name my-symmetric-key \
  --algorithm aes_256 \
  --format jsonpath='{.metadata.id}')

This command includes the following parameters:

--name: Name of the symmetric key.
--algorithm: Encryption algorithm that the key uses. For symmetric keys, KMS only supports the aes_256 algorithm.
--format jsonpath='{.metadata.id}': Returns only the key ID from the command output.

This command creates a symmetric key with the default rotation period of three months and saves the key ID to the KEY_ID environment variable.

Encrypt data

Encode the text Hello world in Base64:
printf '%s' 'Hello world' | base64 -w 0
The output looks like the following:
```
SGVsbG8gd29ybGQ=
```
Encrypt the text Hello world:
```
nebius kms symmetric-crypto encrypt \
  --key-id "$KEY_ID" \
  --plaintext SGVsbG8gd29ybGQ=
```
This command includes the following parameters:
- --key-id: ID of the symmetric key that you created.
- --plaintext: Base64-encoded value of your text.
The command returns the ciphertext value that you need for decrypting the data later:
```
key_id: kmssymkey-e00***
ciphertext: AhIClM3o***
```

Decrypt data

To decrypt the data, use the same symmetric key and the returned ciphertext:
```
nebius kms symmetric-crypto decrypt \
  --key-id "$KEY_ID" \
  --ciphertext <ciphertext>
```
This command includes the following parameters:
- --key-id: ID of the symmetric key that you created.
- --ciphertext: Ciphertext returned when you encrypted the plaintext.
The output contains the Base64-encoded plaintext:
```
key_id: kmssymkey-e00***
plaintext: SGVsbG8gd29ybGQ=
```

Decode the plaintext value from Base64:

printf '%s' 'SGVsbG8gd29ybGQ=' | base64 -d

The output is:

Hello world

What’s next

Learn how to rotate a symmetric key manually
Learn how to encrypt larger volumes of data with envelope encryption

​Prerequisites

​Steps

​Create a symmetric key

​Encrypt data

​Decrypt data