bucket-encryption

0.0.201

After you configure server-side encryption, Object Storage Service (OSS) encrypts uploaded objects and permanently stores the encrypted objects. When you download objects, OSS decrypts the objects and returns the decrypted objects. This topic describes how to run the bucket-encryption command to add server-side encryption configurations to a bucket and modify, query, or delete the server-side encryption configurations of a bucket.

Usage notes

To add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket, you must have the oss:PutBucketEncryption permission. To query the server-side encryption configurations of a bucket, you must have the oss:GetBucketEncryption permission. To delete the server-side encryption configurations of a bucket, you must have the oss:DeleteBucketEncryption permission. For more information, see Attach a custom policy to a RAM user.

For ossutil 1.6.16 and later, you can directly use ossutil as the binary name in the command line. You do not need to update the binary name based on the operating system. For ossutil earlier than 1.6.16, you need to update the binary name based on the operating system. For more information, see ossutil command reference.
For more information about server-side encryption, see Server-side encryption.

Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket

Command syntax

ossutil bucket-encryption --method put oss://bucketName  --sse-algorithm algorithmName 
[--kms-masterkey-id  keyid]

The following table describes the preceding parameters.

Parameter	Description

Parameter	Description
bucketName	The name of the bucket.
--sse-algorithm	The encryption method of the bucket. Valid values: KMS: The keys managed by Key Management Service (KMS) are used for encryption and decryption (SSE-KMS). AES256: The keys managed by OSS are used for encryption and decryption (SSE-OSS).
--kms-masterkey-id	The ID of the KMS-managed customer master key (CMK) used to encrypt objects when the encryption method is set to SSE-KMS. If you do not specify this parameter, the default CMK is used to encrypt objects. If you want to use a specific CMK, use the parameter to configure the CMK ID. Note If you use OSS on CloudBox, this parameter is not supported.

Examples
- Run the following command to set the encryption method to SSE-OSS and the encryption algorithm to AES-256 for examplebucket:
```
ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256
```
- Run the following command to set the encryption method to SSE-KMS, specify a CMK ID, and set the encryption algorithm to AES-256 for examplebucket:
```
ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm KMS --kms-masterkey-id 9468da86-3509-4f8d-a61e-6eab1eac****
```
- If the following output is displayed, server-side encryption is configured for examplebucket:
```
0.856895(s) elapsed
```

Query the server-side encryption configurations of a bucket

Command syntax

ossutil bucket-encryption --method get oss://bucketname

Examples
Run the following command to query the server-side encryption configurations of examplebucket:
```
ossutil bucket-encryption --method get oss://examplebucket
```
If the following output is displayed, the server-side encryption method configured for examplebucket is SSE-KMS, the CMK ID is not specified, and the encryption algorithm is AES-256:
```
SSEAlgorithm:KMS
KMSMasterKeyID:
KMSDataEncryption:
```

Delete the server-side encryption configurations of a bucket

Command syntax

ossutil bucket-encryption --method delete oss://bucketname

Examples
Run the following command to delete the server-side encryption configurations of examplebucket:
```
ossutil bucket-encryption --method delete oss://examplebucket
```
If the following output is displayed, server-side encryption configurations are deleted for examplebucket:
```
0.856686(s) elapsed
```

Common options

If you use ossutil to switch to a bucket that is located in another region, add the -e option to specify the endpoint of the region in which the bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to specify the AccessKey ID of the specified account, and add the -k option to specify the AccessKey secret of the specified account.

For example, you can run the following command to set the encryption method to AES-256 for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:

ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256 -e oss-cn-hangzhou.aliyuncs.com -i yourAccessKeyID -k yourAccessKeySecret

For more information about common options, see Common options.

Feedback

Previous: bucket-cnameNext: bucket-policy

On this page （1）

Usage notes

Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket

Query the server-side encryption configurations of a bucket

Delete the server-side encryption configurations of a bucket

Common options

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Usage notes

Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket

Query the server-side encryption configurations of a bucket

Delete the server-side encryption configurations of a bucket

Common options

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)