Learn about how Object Storage service encrypts and decrypts all objects using 256-bit Advanced Encryption Standard (AES-256) to encrypt object data on the server.
Each object is encrypted with its own data encryption key. Data encryption keys are always encrypted with a master encryption key that's assigned to the bucket. Encryption is enabled by default and cannot be turned off. By default, Oracle manages the master encryption key.
In addition to this default encryption, you can use these strategies to encrypt data:
Use client-side encryption to encrypt objects with their encryption keys before storing them in Object Storage buckets. An available option is to use the Amazon S3 Compatibility API, along with client-side object encryption support available in AWS SDK for Java. See Amazon S3 Compatibility API for more details about on this SDK.
This topic provides the details for implementing and using server-side encryption with customer-provided keys (SSE-C).
About SSE-C 🔗
Using optional API headers, you can provide your own 256-bit AES encryption key that is used to encrypt and decrypt objects uploaded to and downloaded from Object Storage:
When you upload an object, you supply the encryption key. Object Storage encrypts the object using that key and immediately deletes the key.
When you want to download an object, you supply the same key that was used to encrypt the object and Object Storage decrypts and returns the object to you.
You manage the encryption keys and Object Storage manages the encryption and decryption.
Important
Object Storage does not store your encryption keys. You are responsible for tracking the key that is associated with each object and rotating the key as necessary. If you lose your encryption key, you cannot retrieve your object.
Scope and Constraints 🔗
Understand the following scope and constraints regarding SSE-C:
An SSE-C key cannot be associated with a bucket and can only be used to encrypt individual objects.
You can encrypt objects using your own encryption key using pre-authenticated requests. To retrieve an SSE-C encrypted object using a pre-authenticated request, you need to specify your encryption key.
To delete or rename an SSE-C encrypted object, you do not need to specify your encryption key.
You can only specify either a kmsKeyId or an sseCustomerKey in the ReencryptObject request payload, not both. If the request payload is empty, the object is encrypted using the encryption key assigned to the
bucket. The bucket encryption mechanism can either be a master encryption key managed by Oracle or the Vault service.
You can only use the Object Storage APIs and the CLI to provide SSE-C keys. You can't use the Console to upload or retrieve objects using a customer-provided key.
Specifies the base64-encoded 256-bit encryption key to use to decrypt
the source object.
opc-source-sse-customer-key-sha256
Specifies the base64-encoded SHA256 hash of the encryption key used to
decrypt the source object.
Using the CLI for SSE-C 🔗
You can also use your own encryption keys to encrypt objects using the CLI.
You can supply your own encryption key using the optional parameter --encryption-key-filefilename for the following commands:
oci os object put
oci os object get
oci os object head
oci os object resume-put
oci os object bulk-upload
oci os object bulk-download
oci os object copy
oci os object reencrypt
filename points to a file containing the base64-encoded string of the AES-256 encryption key. No other parameters are required. Object Storage decodes the key to compute the SHA256 hash of the encryption key.
If the source object is encrypted with an SSE-C key, you must also specify the optional parameter --source-encryption-key-filefilename for the following commands:
oci os object copy
oci os object reencrypt
filename points to a file containing the base64-encoded string of the AES-256 source encryption key. No other parameters are required. Object Storage decodes the key to compute the SHA256 hash of the source encryption key.
Using Your Own Keys in Vault for Server-Side Encryption 🔗
This topic provides the details for implementing server-side encryption using your own
keys in Vault.
The Oracle Cloud Infrastructure Object Storage service encrypts your data and metadata (customer-provided key value pairs) using randomly generated Data Encryption Keys (DEKs). Object Storage allows you to specify your own Master Encryption Key (MEK) managed by the Vault service for buckets (See Using the Console) and individual objects. You can specify the MEK to be used for a given object without having to maintain and manage your own keys.
The examples in this section use the full syntax for parameters, for
example --namespace and --bucket-name. Sometimes,
there are shortened parameter terms that you can use instead of the full ones, for
example -ns for --namespace and -bn
for --bucket-name. The CLI online --help for a
particular command displays the shortened parameters that you can use.
If you've rotated a master encryption key since the time you assigned it to a bucket, you might want to re-encrypt the bucket. Until you explicitly re-encrypt a bucket, the key version associated with the bucket when an object was inserted into the bucket continues to decrypt all data encryption keys.
To encrypt and decrypt all data encryption keys with the same, most recent version of the assigned master encryption key, re-encrypt the bucket. See Re-encrypting a Bucket's Data Encryption for more information.
Object Re-encryption 🔗
To encrypt and decrypt an object's data encryption keys with a different master encryption key, you can re-encrypt the object. When re-encrypting an object, you can select either a different key from the one assigned to the bucket or the most recent version of the key assigned to the bucket. Until you explicitly re-encrypt an object, the key version associated with the bucket (when the object was inserted into the bucket) continues to decrypt all the object's data encryption keys.
You can re-encrypt an object's data encryption keys with a key managed by Oracle, a key
that you created and control through a vault that you manage, or a customer-provided
encryption key (SSE-C).
Note
If you use server-side encryption with customer-provided keys (SSE-C), you must use the CLI to provide the SSE-C key during the encryption or re-encryption process. Using the CLI, you can re-encrypt an object with a different SSE-C key, a key managed by Oracle, or a key that you manage through the Vault service. In the Console, you can only re-encrypt an object to use the latest version of the Oracle-managed key assigned to the bucket or the latest version of a Vault key. It doesn't matter whether the chosen key version is the one assigned to the bucket.