After you configure server-side encryption, Object Storage Service (OSS) encrypts uploaded objects and permanently stores the encrypted objects. When you download objects, OSS decrypts the objects and returns the decrypted objects. This topic describes how to run the bucket-encryption command to add server-side encryption configurations to a bucket and modify, query, or delete the server-side encryption configurations of a bucket.
Usage notes
To add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket, you must have the
oss:PutBucketEncryption
permission. To query the server-side encryption configurations of a bucket, you must have theoss:GetBucketEncryption
permission. To delete the server-side encryption configurations of a bucket, you must have theoss:DeleteBucketEncryption
permission. For more information, see Attach a custom policy to a RAM user.
For ossutil 1.6.16 and later, you can directly use ossutil as the binary name in the command line. You do not need to update the binary name based on the operating system. For ossutil earlier than 1.6.16, you need to update the binary name based on the operating system. For more information, see ossutil command reference.
For more information about server-side encryption, see Server-side encryption.
Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket
Command syntax
ossutil bucket-encryption --method put oss://bucketName --sse-algorithm algorithmName [--kms-masterkey-id keyid]
The following table describes the preceding parameters.
Parameter
Description
bucketName
The name of the bucket.
--sse-algorithm
The encryption method of the bucket.
Valid values:
KMS: The keys managed by Key Management Service (KMS) are used for encryption and decryption (SSE-KMS).
AES256: The keys managed by OSS are used for encryption and decryption (SSE-OSS).
--kms-masterkey-id
The ID of the KMS-managed customer master key (CMK) used to encrypt objects when the encryption method is set to SSE-KMS. If you do not specify this parameter, the default CMK is used to encrypt objects. If you want to use a specific CMK, use the parameter to configure the CMK ID.
NoteIf you use OSS on CloudBox, this parameter is not supported.
Examples
Run the following command to set the encryption method to SSE-OSS and the encryption algorithm to AES-256 for examplebucket:
ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256
Run the following command to set the encryption method to SSE-KMS, specify a CMK ID, and set the encryption algorithm to AES-256 for examplebucket:
ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm KMS --kms-masterkey-id 9468da86-3509-4f8d-a61e-6eab1eac****
If the following output is displayed, server-side encryption is configured for examplebucket:
0.856895(s) elapsed
Query the server-side encryption configurations of a bucket
Command syntax
ossutil bucket-encryption --method get oss://bucketname
Examples
Run the following command to query the server-side encryption configurations of examplebucket:
ossutil bucket-encryption --method get oss://examplebucket
If the following output is displayed, the server-side encryption method configured for examplebucket is SSE-KMS, the CMK ID is not specified, and the encryption algorithm is AES-256:
SSEAlgorithm:KMS KMSMasterKeyID: KMSDataEncryption:
Delete the server-side encryption configurations of a bucket
Command syntax
ossutil bucket-encryption --method delete oss://bucketname
Examples
Run the following command to delete the server-side encryption configurations of examplebucket:
ossutil bucket-encryption --method delete oss://examplebucket
If the following output is displayed, server-side encryption configurations are deleted for examplebucket:
0.856686(s) elapsed
Common options
If you use ossutil to switch to a bucket that is located in another region, add the -e option to specify the endpoint of the region in which the bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to specify the AccessKey ID of the specified account, and add the -k option to specify the AccessKey secret of the specified account.
For example, you can run the following command to set the encryption method to AES-256 for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:
ossutil bucket-encryption --method put oss://examplebucket --sse-algorithm AES256 -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA**** -k 67DLVBkH7EamOjy2W5RVAHUY9H****
For more information about common options, see Common options.