# Managing digital signature key pairs

You can use Key Management Service to create, update, and destroy digital signature key pairs.

## Creating digital signature key pairs {#create}

To create a digital signature key pair:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) to create your key pair in.
  1. Navigate to **Key Management Service**.
  1. In the left-hand panel, select ![image](../../_assets/kms/asymmetric-key.svg) **Asymmetric keys**.
  1. In the top-right corner, click **Create key**. In the window that opens:
      1. Enter a name and an optional description.
      1. In the **Type** field, select `Signature`.
      1. In the **Algorithm** field, select the appropriate signature algorithm.
      1. Enable deletion protection if required.
      1. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to create a digital signature key pair:

      ```bash
      yc kms asymmetric-signature-key create --help
      ```

  1. [Get](../../resource-manager/operations/folder/get-id.md) the ID of the folder to create the key pair in.

  1. Create your digital signature key pair:

      ```bash
      yc kms asymmetric-signature-key create \
        --name <key_pair_name> \
        --folder-id <folder_ID> \
        --signature-algorithm <signature_algorithm>
      ```

      Where:
      * `--name`: Name of the digital signature key pair.
      * `--folder-id`: ID of the folder where the key pair will be created.
      * `--signature-algorithm`: Digital signature algorithm. The following [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) and [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) algorithms are available:

          * `rsa-2048-sign-pss-sha-256`
          * `rsa-2048-sign-pss-sha-384`
          * `rsa-2048-sign-pss-sha-512`
          * `rsa-3072-sign-pss-sha-256`
          * `rsa-3072-sign-pss-sha-384`
          * `rsa-3072-sign-pss-sha-512`
          * `rsa-4096-sign-pss-sha-256`
          * `rsa-4096-sign-pss-sha-384`
          * `rsa-4096-sign-pss-sha-512`
          * `ecdsa-nist-p256-sha-256`
          * `ecdsa-nist-p384-sha-384`
          * `ecdsa-nist-p521-sha-512`
          * `ecdsa-secp256-k1-sha-256`

      Result:

      ```text
      id: abj9g2dil5sj********
      folder_id: b1gt6g8ht345********
      created_at: "2023-08-16T09:06:57Z"
      name: sample-signature-key
      status: ACTIVE
      signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
      ```

{% endlist %}

## Updating digital signature key pairs {#update}

After creating a key pair, you can change its name, description, and labels, as well as enable or disable deletion protection.

To update a digital signature key pair:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) with the appropriate key pair.
  1. Navigate to **Key Management Service**.
  1. In the left-hand panel, select ![image](../../_assets/kms/asymmetric-key.svg) **Asymmetric keys**.
  1. Navigate to the **Signature** tab.
  1. In the line with the key pair, click ![image](../../_assets/console-icons/ellipsis.svg) and select **Edit**. In the window that opens:
      1. Change the required key pair attributes.
      1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to update a digital signature key pair:

      ```bash
      yc kms asymmetric-signature-key update --help
      ```

  1. [Get](../../resource-manager/operations/folder/get-id.md) the ID of the folder with the key pair.

  1. Get the ID of the required digital signature key pair by specifying the folder ID:
     
     ```bash
     yc kms asymmetric-signature-key list \
       --folder-id <folder_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+---------------------------+---------------------+--------+
     |          ID          |         NAME         |    SIGNATURE ALGORITHM    |     CREATED AT      | STATUS |
     +----------------------+----------------------+---------------------------+---------------------+--------+
     | abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE |
     +----------------------+----------------------+---------------------------+---------------------+--------+
     ```

  1. Update the digital signature key pair:

      ```bash
      yc kms asymmetric-signature-key update \
        --id <key_pair_ID> \
        --new-name <new_key_pair_name> \
        --deletion-protection
      ```

      Where:
      * `--id`: ID of the digital signature key pair.
      * `--new-name`: New name for the key pair.
      * `--deletion-protection`: Flag to enable deletion protection. To disable the key pair deletion protection, use the `--no-deletion-protection` flag.

      Result:

      ```text
      id: abj9g2dil5sj********
      folder_id: b1gt6g8ht345********
      created_at: "2023-08-16T09:06:57Z"
      name: sample-new-key
      status: ACTIVE
      signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
      deletion_protection: true
      ```

     The command renamed the digital signature key pair and enabled its deletion protection.

{% endlist %}

## Deleting a digital signature key pair {#delete}

To delete a digital signature key pair:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) with the appropriate key pair.
  1. Navigate to **Key Management Service**.
  1. In the left-hand panel, select ![image](../../_assets/kms/asymmetric-key.svg) **Asymmetric keys**.
  1. Navigate to the **Signature** tab.
  1. In the line with the key pair, click ![image](../../_assets/console-icons/ellipsis.svg) and select **Delete**.
  1. Confirm the deletion.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to delete a signature key pair:

      ```bash
      yc kms asymmetric-signature-key delete --help
      ```

  1. [Get](../../resource-manager/operations/folder/get-id.md) the ID of the folder with the key pair.

  1. Get the ID of the required digital signature key pair by specifying the folder ID:
     
     ```bash
     yc kms asymmetric-signature-key list \
       --folder-id <folder_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+---------------------------+---------------------+--------+
     |          ID          |         NAME         |    SIGNATURE ALGORITHM    |     CREATED AT      | STATUS |
     +----------------------+----------------------+---------------------------+---------------------+--------+
     | abj9g2dil5sj******** | sample-signature-key | RSA_2048_SIGN_PSS_SHA_512 | 2023-08-16 09:06:57 | ACTIVE |
     +----------------------+----------------------+---------------------------+---------------------+--------+
     ```

  1. Delete the digital signature key pair by specifying its ID:

      ```bash
      yc kms asymmetric-signature-key delete \
        --id <key_pair_ID>
      ```

      Result:

      ```text
      done (1s)
      id: abj9g2dil5sj********
      folder_id: b1gt6g8ht345********
      created_at: "2023-08-16T09:06:57Z"
      name: sample-new-key
      signature_algorithm: RSA_2048_SIGN_PSS_SHA_512
      ```

{% endlist %}