All Products
Search

This Product

    Object Storage Service:bucket-encryption

    Document Center

    Object Storage Service:bucket-encryption

    Last Updated:Apr 01, 2024

    After you configure server-side encryption, Object Storage Service (OSS) encrypts uploaded objects and permanently stores the encrypted objects. When you download objects, OSS decrypts the objects and returns the decrypted objects. This topic describes how to run the bucket-encryption command to add server-side encryption configurations to a bucket and modify, query, or delete the server-side encryption configurations of a bucket.

    Usage notes

    • To add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket, you must have the oss:PutBucketEncryption permission. To query the server-side encryption configurations of a bucket, you must have the oss:GetBucketEncryption permission. To delete the server-side encryption configurations of a bucket, you must have the oss:DeleteBucketEncryption permission. For more information, see Attach a custom policy to a RAM user.

    • Sample command lines in this topic are based on the 64-bit Linux system. For other systems, replace ./ossutil64 in the commands with the corresponding binary name. For more information, see ossutil command reference.

    • For more information about server-side encryption, see Server-side encryption.

    Add server-side encryption configurations to a bucket or modify the server-side encryption configurations of a bucket

    • Command syntax

      ./ossutil64 bucket-encryption --method put oss://bucketName  --sse-algorithm algorithmName 
[--kms-masterkey-id  keyid]

      The following table describes the parameters in the preceding command.

      Parameter

      Description

      bucketName

      The bucket for which you want to configure server-side encryption.

      --sse-algorithm

      The encryption method of the bucket.

      Valid values:

      • KMS: The keys managed by Key Management Service (KMS) are used for encryption and decryption (SSE-KMS).

      • AES256: The keys managed by OSS are used for encryption and decryption (SSE-OSS).

      --kms-masterkey-id

      The ID of the KMS-managed customer master key (CMK) used to encrypt objects when the encryption method is set to SSE-KMS. If you do not specify this parameter, the default CMK is used to encrypt objects. If you want to use a specific CMK, use the parameter to configure the CMK ID.

    • Examples

      • Run the following command to set the default encryption method to SSE-OSS and the encryption algorithm to AES-256 for examplebucket: 

        ./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm AES256

      • Run the following command to set the default encryption method to SSE-KMS, specify a CMK ID, and set the encryption algorithm to AES-256 for examplebucket: 

        ./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm KMS --kms-masterkey-id 9468da86-3509-4f8d-a61e-6eab1eac****

      • If the following output is displayed, server-side encryption is configured for examplebucket: 

        0.856895(s) elapsed

    Query the server-side encryption configurations of a bucket

    • Command syntax

      ./ossutil64 bucket-encryption --method get oss://bucketname

    • Examples

      Run the following command to query the server-side encryption configurations of examplebucket: 

      ./ossutil64 bucket-encryption --method get oss://examplebucket

      If the following output is displayed, the server-side encryption method configured for examplebucket is SSE-KMS, the CMK ID is not specified, and the encryption algorithm is AES-256: 

      SSEAlgorithm:KMS
KMSMasterKeyID:
KMSDataEncryption:

    Delete the server-side encryption configurations of a bucket

    • Command syntax

      ./ossutil64 bucket-encryption --method delete oss://bucketname

    • Examples

      Run the following command to delete the server-side encryption configurations of examplebucket: 

      ./ossutil64 bucket-encryption --method delete oss://examplebucket

      If the following output is displayed, server-side encryption configurations are deleted for examplebucket: 

      0.856686(s) elapsed

    Common options

    If you use ossutil to switch to a bucket that is located in another region, add the -e option to the command to specify the endpoint of the region in which the specified bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, you can add the -i option to the command to specify the AccessKey ID of the specified account, and add the -k option to the command to specify the AccessKey secret of the specified account.

    For example, you can run the following command to set the encryption method to AES-256 for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:

    ./ossutil64 bucket-encryption --method put oss://examplebucket --sse-algorithm AES256 -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

    For more information about common options, see Common options.