All Products
Search

This Product

    Object Storage Service:GetBucketEncryption

    Document Center

    Object Storage Service:GetBucketEncryption

    Last Updated:Jun 03, 2026

    Queries the server-side encryption rules configured for a bucket.

    Notes

    Calling GetBucketEncryption requires the oss:GetBucketEncryption permission. For more information, see Common examples of RAM policies.

    Note

    Only the bucket owner or authorized RAM users can query bucket encryption rules. Other users receive a 403 error. For more information about bucket encryption, see Server-side encryption.

    Request structure

    Get /? encryption HTTP/1.1
Date: GMT Date
Host: BucketName.oss.aliyuncs.com
Authorization: SignatureValue

    Request headers

    This request uses only common request headers. For more information, see Common request headers.

    Response headers

    This response uses only common response headers. For more information, see Common response headers.

    Response elements

    Element

    Type

    Example

    Description

    ServerSideEncryptionRule

    Container

    N/A

    Container for server-side encryption rules.

    Child node: ApplyServerSideEncryptionByDefault

    ApplyServerSideEncryptionByDefault

    Container

    N/A

    Container for the default server-side encryption method.

    Child nodes: SSEAlgorithm and KMSMasterKeyID

    SSEAlgorithm

    String

    KMS

    Default server-side encryption method.

    Valid values: KMS and AES256

    KMSMasterKeyID

    String

    9468da86-3509-4f8d-a61e-6eab1eac****

    CMK ID used for encryption.

    Returned only when SSEAlgorithm is KMS and a CMK ID is specified. Otherwise null.

    Examples

    • Sample request 

      Get /? encryption HTTP/1.1
Date: Thu, 17 Apr 2025 11:20:10 GMT
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Authorization: OSS4-HMAC-SHA256 Credential=LTAI********************/20250417/cn-hangzhou/oss/aliyun_v4_request,Signature=a7c3554c729d71929e0b84489addee6b2e8d5cb48595adfc51868c299c0c218e

    • Sample response

      The following response indicates that SSE-KMS is configured for the bucket.

      HTTP/1.1 204 NoContent
x-oss-request-id: 5C1B138A109F4E405B2D8AEF
Date: Tue, 20 Dec 2018 11:22:05 GMT
<? xml version="1.0" encoding="UTF-8"? >
<ServerSideEncryptionRule>
  <ApplyServerSideEncryptionByDefault>
    <SSEAlgorithm>KMS</SSEAlgorithm>
    <KMSMasterKeyID>9468da86-3509-4f8d-a61e-6eab1eac****</KMSMasterKeyID>
  </ApplyServerSideEncryptionByDefault>
</ServerSideEncryptionRule>

    OSS SDKs

    Call GetBucketEncryption with the following OSS SDKs:

    ossutil

    For information about the ossutil command that corresponds to the GetBucketEncryption operation, see get-bucket-encryption.

    Error codes

    Error code

    HTTP status code

    Description

    AccessDenied

    403

    You do not have permission to query encryption rules for this bucket.

    NoSuchBucket

    400

    The specified bucket does not exist.

    NoSuchServerSideEncryptionRule

    400

    No encryption rules are configured for this bucket.