All Products
Search
Document Center

Object Storage Service:bucket-encryption

Last Updated:Aug 19, 2024

After you configure server-side encryption, Object Storage Service (OSS) encrypts uploaded objects and permanently stores the encrypted objects. When you download objects, OSS decrypts the objects and returns the decrypted objects. This topic describes how to run the bucket-encryption command to add server-side encryption configurations to a bucket and modify, query, or delete the server-side encryption configurations of a bucket.

Usage notes

  • To add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket, you must have the oss:PutBucketEncryption permission. To query the server-side encryption configurations of a bucket, you must have the oss:GetBucketEncryption permission. To delete the server-side encryption configurations of a bucket, you must have the oss:DeleteBucketEncryption permission. For more information, see Attach a custom policy to a RAM user.

  • For ossutil 1.6.16 and later, you can directly use ossutil as the binary name in the command line. You do not need to update the binary name based on the operating system. For ossutil earlier than 1.6.16, you need to update the binary name based on the operating system. For more information, see ossutil command reference.

  • For more information about server-side encryption, see Server-side encryption.

Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket

  • Command syntax

    ossutil bucket-encryption --method put oss://bucketName  --sse-algorithm algorithmName 
    [--kms-masterkey-id  keyid] 

    The following table describes the preceding parameters.

    Parameter

    Description

    bucketName

    The name of the bucket.

    --sse-algorithm

    The encryption method of the bucket.

    Valid values:

    • KMS: The keys managed by Key Management Service (KMS) are used for encryption and decryption (SSE-KMS).

    • AES256: The keys managed by OSS are used for encryption and decryption (SSE-OSS).

    --kms-masterkey-id

    The ID of the KMS-managed customer master key (CMK) used to encrypt objects when the encryption method is set to SSE-KMS. If you do not specify this parameter, the default CMK is used to encrypt objects. If you want to use a specific CMK, use the parameter to configure the CMK ID.

    Note

    If you use OSS on CloudBox, this parameter is not supported.

  • Examples

    • Run the following command to set the encryption method to SSE-OSS and the encryption algorithm to AES-256 for examplebucket:

      ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256
    • Run the following command to set the encryption method to SSE-KMS, specify a CMK ID, and set the encryption algorithm to AES-256 for examplebucket:

      ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm KMS --kms-masterkey-id 9468da86-3509-4f8d-a61e-6eab1eac****
    • If the following output is displayed, server-side encryption is configured for examplebucket:

      0.856895(s) elapsed

Query the server-side encryption configurations of a bucket

  • Command syntax

    ossutil bucket-encryption --method get oss://bucketname
  • Examples

    Run the following command to query the server-side encryption configurations of examplebucket:

    ossutil bucket-encryption --method get oss://examplebucket

    If the following output is displayed, the server-side encryption method configured for examplebucket is SSE-KMS, the CMK ID is not specified, and the encryption algorithm is AES-256:

    SSEAlgorithm:KMS
    KMSMasterKeyID:
    KMSDataEncryption:

Delete the server-side encryption configurations of a bucket

  • Command syntax

    ossutil bucket-encryption --method delete oss://bucketname
  • Examples

    Run the following command to delete the server-side encryption configurations of examplebucket:

    ossutil bucket-encryption --method delete oss://examplebucket

    If the following output is displayed, server-side encryption configurations are deleted for examplebucket:

    0.856686(s) elapsed

Common options

If you use ossutil to switch to a bucket that is located in another region, add the -e option to specify the endpoint of the region in which the bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to specify the AccessKey ID of the specified account, and add the -k option to specify the AccessKey secret of the specified account.

For example, you can run the following command to set the encryption method to AES-256 for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:

ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256 -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

For more information about common options, see Common options.