After you configure server-side encryption, Object Storage Service (OSS) encrypts uploaded objects and permanently stores the encrypted objects. When you download objects, OSS decrypts the objects and returns the decrypted objects. This topic describes how to run the bucket-encryption command to add, modify, query, or delete encryption configurations for a bucket.

Note
  • Sample command lines in this topic are based on the 64-bit Linux system. For other systems, replace ./ossutil64 in the commands with the corresponding binary name. For more information, see ossutil.
  • For more information about how server-side encryption works, see Server-side encryption.

Add or modify bucket encryption configurations

  • Command syntax
    ./ossutil64 bucket-encryption --method put oss://bucketName  --sse-algorithm algorithmName  [--kms-masterkey-id  keyid] 

    The following table describes the parameters that you can configure when you run this command to add or modify bucket encryption configurations.

    Parameter Description
    bucketName The bucket for which you want to configure server-side encryption.
    --sse-algorithm The encryption method for the bucket.

    Valid values:

    • KMS: The keys managed by Key Management Service (KMS) are used for encryption and decryption (SSE-KMS).
    • AES256: The keys managed by OSS are used for encryption and decryption (SSE-OSS).
    --kms-masterkey-id When the encryption method is set to SSE-KMS, OSS uses the default KMS-managed customer master key (CMK) to encrypt objects. To use the specified KMS-managed CMK to encrypt objects, set this parameter to the valid CMK ID.
  • Examples
    • You can run the following command to set the default encryption method to SSE-OSS and the encryption algorithm to AES-256 for examplebucket:
      ./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm AES256
    • You can run the following command to set the default encryption method to SSE-KMS for examplebucket. Specify a CMK ID, and set the encryption algorithm to AES-256:
      ./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm KMS --kms-masterkey-id 9468da86-3509-4f8d-a61e-6eab1eac****
    • If a similar output is displayed, server-side encryption is configured for examplebucket:
      0.856895(s) elapsed

Query the server-side encryption configurations of a bucket

  • Command syntax
    ./ossutil64 bucket-encryption --method get oss://bucket
  • Examples

    You can run the following command to query the encryption configurations of examplebucket:

    ./ossutil64 bucket-encryption --method get oss://examplebucket
    If a similar output is displayed, the server-side encryption method configured for examplebucket is SSE-KMS, the CMK ID is not specified, and the encryption algorithm is AES-256:
    SSEAlgorithm:KMS
    KMSMasterKeyID:
    KMSDataEncryption:

Delete the server-side encryption configurations of a bucket

  • Command syntax
    ./ossutil64 bucket-encryption --method delete oss://bucket
  • Examples
    You can run the following command to delete the server-side encryption configurations of examplebucket:
    ./ossutil64 bucket-encryption --method delete oss://examplebucket

    If a similar output is displayed, server-side encryption configurations are deleted for examplebucket:

    0.856686(s) elapsed

Common options

To use command-line tool ossutil to manage buckets that are located in different regions, you can use the -e option to use the endpoint of the specified bucket. To use command-line tool ossutil to manage buckets that are owned by multiple Alibaba Cloud accounts, you can use the -i option to use the AccessKey ID of the specified account, and use the -k option to use the AccessKey secret of the specified account.

For example, you can run the following command to set the encryption method to AES-256 for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:
./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm AES256 -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

For more information about other common options that you can use for the bucket-encryption command, see Common options.