Oracle Cloud Infrastructure Documentation

Assigning a Key to an Object Storage Bucket

Assign a Vault master encryption key to an Object Storage bucket.

You can encrypt the data encryption keys that encrypt the objects in a bucket by using your own Vault master encryption key. By default, buckets are encrypted with keys managed by Oracle. For more information, see Object Storage Data Encryption and Overview of Vault
Important

Buckets in a security zone can't use the default encryption key managed by Oracle. You must use your own Vault master encryption key.
    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
    2. Select the compartment from the list under List Scope. All buckets in that compartment are listed in tabular form.
    3. Click the bucket that you want to encrypt. The bucket's Details page appears.
    4. Find Encryption Key and perform one of the following actions:

      • If the bucket is encrypted with a key managed by Oracle, click Assign. The Assign Master Encryption Key dialog box appears.

      • If the bucket already has a Vault master encryption key assigned, to assign a different key, click Edit. The Edit Master Encryption Key dialog box appears.

    5. Provide or update the following information in the dialog box that opens:

      • The Vault compartment and vault that contain the master encryption key you want to use. The current compartment is displayed by default.

      • The master encryption key compartment and master encryption key. The current compartment is displayed by default.

    6. Click Assign or Edit.

  • Use the oci os bucket update command and required parameters to assign a Vault key to a bucket.

    oci os bucket update --name bucket_name --kms-key-id kms_key_id [OPTIONS]

    where kms_key_id is the OCID of the key versions that contain the cryptographic material used to encrypt and decrypt data, protecting the data where the data is stored.

    For example:

    
oci os bucket update --name MyKeyBucket --kms-key-id ocid1.key.region1.sea..exampleuniqueID
{
  "data": {
    "approximate-count": null,
    "approximate-size": null,
    "auto-tiering": null,
    "compartment-id": "ocid.compartment.oc1..exampleuniqueID",
    "created-by": "ocid1.user.oc1..exampleuniqueID",
    "defined-tags": {},
    "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32",
    "freeform-tags": {},
    "id": "ocid1.bucket.oc1..exampleuniqueID",
    "is-read-only": false,
    "kms-key-id": "ocid1.key.region1.sea..exampleuniqueID",
    "metadata": {},
    "name": "MyKeyBucket",
    "namespace": "MyNamespace",
    "object-events-enabled": false,					
    "object-lifecycle-policy-etag": null,
    "public-access-type": "NoPublicAccess"
    "replication-enabled": false,
    "storage-tier": "Standard",
    "time-created": "2020-06-29T23:00:35.490000+00:00",
    "versioning": "Disabled"
  },
  "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32"
}
    If you're updating the key, run the same oci os bucket update command with the updated kms_key_id value.

    See Overview of Vault for more details.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • This task can't be performed using the API.