# Encrypting an image

If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.

{% note alert %}

If you destroy the key or its [version](../../../kms/concepts/version.md) used to encrypt a disk, image, or snapshot, you will irrevocably lose access to the data. For details, see [Destroying key versions](../../../kms/concepts/version.md#version-distruct).

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. [Create](../../../kms/operations/key.md#create) a Yandex Key Management Service encryption key. For more information, see [Encryption in Compute Cloud](../../concepts/encryption.md).
  1. Create an encrypted disk from the image you want to encrypt:

      1. In the [management console](https://console.yandex.cloud), select the folder containing the source image.
      1. Navigate to **Compute Cloud**.
      1. In the left-hand panel, select ![image](../../../_assets/console-icons/hard-drive.svg) **Disks**.
      1. Click **Create disk**.
      1. Enter a name for the disk.

          * Length: between 3 and 63 characters.
          * It can only contain lowercase Latin letters, numbers, and hyphens.
          * It must start with a letter and cannot end with a hyphen.

      1. Set the disk parameters, such as [disk type](../../concepts/disk.md#disks_types), [block size](../../concepts/disk.md#maximum-disk-size), and [disk size](../../concepts/disk.md#maximum-disk-size).
      1. In the **Contents** field, select `Image` and then select the image you need from the list below. Use the filter to find the image.
      1. Under **Encryption**, enable **Encrypted disk** and select the [key](../../../kms/concepts/key.md) you created earlier in the **KMS key** field.

      1. Click **Create disk**.

      Once created, the disk will get the `Creating` status. Wait until the disk status changes to `Ready` before using it.

  1. [Create](../image-create/create-from-disk.md) an image from the encrypted disk you created earlier.
  1. [Delete](../disk-control/delete.md) the encrypted disk.
  1. [Delete](delete.md) the source image.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a Yandex Key Management Service encryption key:

      ```bash
      yc kms symmetric-key create \
        --name <key_name> \
        --default-algorithm aes-256 \
        --rotation-period 24h \
        --deletion-protection
      ```

      Where `--name` is the name of the new Key Management Service key.

      Result:

      ```text
      id: abj73fd9mekk********
      folder_id: b1geoelk7fld********
      created_at: "2025-05-20T17:27:35Z"
      name: my-key1
      status: ACTIVE
      primary_version:
        id: abjdno4pqi67********
        key_id: abj73fd9mekk********
        status: ACTIVE
        algorithm: AES_256
        created_at: "2025-05-20T17:27:35Z"
        primary: true
      default_algorithm: AES_256
      rotation_period: 86400s
      deletion_protection: true
      ```

  1. Get a list of all images in the default folder:

      ```bash
      yc compute image list
      ```

      Result:

      ```text
      +----------------------+--------------------+------------------------+----------+
      |          ID          |        NAME        |       PRODUCT IDS      |  STATUS  |
      +----------------------+--------------------+------------------------+----------+
      | fd823vsvcmop******** | image-ubuntu-24-04 | igf2etq3erab3o******** | READY    |
      | fd8p8l3asgud******** | image-debian-2025  | goa2etq3erab3o******** | READY    |
      +----------------------+--------------------+------------------------+----------+
      ```

  1. Create an encrypted disk from the image you want to encrypt:

      ```bash
      yc compute disk create <encrypted_disk_name> \
        --source-image-name <image_name> \
        --kms-key-name <key_name>
      ```

      Where:
      * `--source-image-name`: Image name to create an encrypted disk.
      * `--kms-key-name`: Encryption key name.

      Result:

      ```text
      done (53s)
      id: fhmihpagi991********
      folder_id: b1geoelk7fld********
      created_at: "2025-05-20T17:39:01Z"
      name: fromcliencrypted
      type_id: network-hdd
      zone_id: ru-central1-a
      size: "21474836480"
      block_size: "4096"
      status: READY
      source_image_id: sd1lb3jnrcs2********
      disk_placement_policy: {}
      hardware_generation:
        legacy_features:
          pci_topology: PCI_TOPOLOGY_V1
      kms_key:
        key_id: abj73fd9mekk********
        version_id: abjdno4pqi67********
      ```

      Once created, the disk will get the `Creating` status. Wait until the disk status changes to `Ready` before using it.

  1. Get a list of all disks in the default folder:

      ```bash
      yc compute disk list
      ```

      Result:

      ```text
      +----------------------+--------------+-------------+---------------+--------+----------------------+-------------------------+
      |          ID          |     NAME     |    SIZE     |     ZONE      | STATUS |     INSTANCE IDS     |       DESCRIPTION       |
      +----------------------+--------------+-------------+---------------+--------+----------------------+-------------------------+
      | a7lqgbt0bb9s******** | first-disk   | 20401094656 | ru-central1-a | READY  | a7lcvu28njbh******** |                         |
      | a7lv5j5hm1p1******** | second-disk  | 21474836480 | ru-central1-a | READY  |                      |                         |
      +----------------------+--------------+-------------+---------------+--------+----------------------+-------------------------+
      ```

  1. Create an image from the encrypted disk you created earlier:
  
      ```bash
      yc compute image create \
        --name <name_of_new_image> \
        --source-disk-name <encrypted_disk_name>
      ```

      Result:

      ```text
      done (8s)
      id: fd87fubin9ql********
      folder_id: b1geoelk7fld********
      created_at: "2025-06-25T10:52:31Z"
      name: encrypted-image
      min_disk_size: "5368709120"
      status: READY
      os:
        type: LINUX
      hardware_generation:
        legacy_features:
          pci_topology: PCI_TOPOLOGY_V1
      kms_key:
        key_id: abjgkrgibtmo********
        version_id: abjvf41ltfi8********
      ```

  1. Delete the encrypted disk:

      ```bash
      yc compute disk delete <encrypted_disk_name>
      ```

      Result:

      ```text
      done (4s)
      ```

  1. Delete the source image:

      ```bash
      yc compute image delete <unencrypted_image_name>
      ```

      Result:

      ```text
      done (2s)
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To encrypt an image using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      # Creating a Yandex Key Management Service key

      resource "yandex_kms_symmetric_key" "my-key" {
        name                = "encrypt-key"
        default_algorithm   = "AES_256"
        rotation_period     = "8760h"
        deletion_protection = true
        lifecycle {
          prevent_destroy = true
        }
      }

      # Creating an encrypted disk

      resource "yandex_compute_disk" "encrypted-disk" {
        name       = "new-encrypted-disk"
        type       = "network-hdd"
        zone       = "ru-central1-a"
        size       = 20
        block_size = 4096
        image_id   = "<unencrypted_image_ID>"
        kms_key_id = yandex_kms_symmetric_key.my-key.id
      }

      # Creating an encrypted image

      resource "yandex_compute_image" "encrypted-image" {
        name           = "<encrypted_image_name>"
        source_disk_id = yandex_compute_disk.encrypted-disk.id
        depends_on     = [yandex_compute_disk.encrypted-disk]
      }
      ```

      Where:
      * `image_id`: Unencrypted image ID.
      * `name`: Name of the new encrypted image.

      For more information about `yandex_compute_snapshot` properties, see [this provider guide](../../../terraform/resources/compute_image.md).

  1. Create the resources:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Once created, the disk will get the `Creating` status. Wait until the disk status changes to `Ready` before using it.

  1. [Delete](../disk-control/delete.md) the encrypted disk.
  1. [Delete](delete.md) the source image.

- API {#api}

  1. Create a Yandex Key Management Service encryption key using the [create](../../../kms/api-ref/SymmetricKey/create.md) REST API method for the [SymmetricKey](../../../kms/api-ref/SymmetricKey/index.md) resource or the [SymmetricKeyService/Create](../../../kms/api-ref/grpc/SymmetricKey/create.md) gRPC API call.

  1. Create an encrypted disk from an image using the [create](../../api-ref/Disk/create.md) REST API method for the [Disk](../../api-ref/Disk/index.md) resource or the [DiskService/Create](../../api-ref/grpc/Disk/create.md) gRPC API call.

      To request a list of available images, use the [list](../../api-ref/Image/list.md) REST API method or the [ImageService/List](../../api-ref/grpc/Image/list.md) gRPC API call.

      Once created, the disk will get the `Creating` status. Wait until the disk status changes to `Ready` before using it.

  1. For the encrypted disk, create an image using the [create](../../api-ref/Image/create.md) REST API method for the [Image](../../api-ref/Image/index.md) resource or the [ImageService/Create](../../api-ref/grpc/Image/create.md) gRPC API call.

  1. Delete the encrypted disk using the [delete](../../api-ref/Disk/delete.md) REST API method for the [Disk](../../api-ref/Disk/index.md) resource or the [DiskService/Delete](../../api-ref/grpc/Disk/delete.md) gRPC API call.

  1. Delete the source image using the [delete](../../api-ref/Image/delete.md) REST API method for the [Image](../../api-ref/Image/index.md) resource or the [ImageService/Delete](../../api-ref/grpc/Image/delete.md) gRPC API call.

{% endlist %}


#### See also {#see-also}

* [Encryption in Compute Cloud](../../concepts/encryption.md)
* [Encrypting a disk](../disk-control/disk-encrypt.md)
* [Encrypting an image](../snapshot-control/snapshot-encrypt.md)