Enabling or Disabling Bucket Encryption

You can enable encryption on new and existing buckets to ensure that all newly stored data is automatically encrypted for security and compliance purposes.

When encryption is enabled, all new objects in the bucket are automatically encrypted using a specified method through server-side encryption.

The server-side-encryption for your objects is handled by a default main cryptographic key linked to your account. This key is managed by 3DS OUTSCALE and cannot be modified or deleted. When enabling encryption on your objects, the main cryptographic key of your account generates a data key to encrypt your data. This process is called envelope encryption and ensures an additional layer of protection on your objects.

Once enabled, 3DS OUTSCALE fully manages the encryption process, requiring no additional action.

  • Only objects added after encryption is enabled will be encrypted; existing objects will remain unencrypted, as the encryption feature does not apply retroactively. If you want existing objects to be encrypted, you must manually re-upload them to the bucket after enabling encryption.

  • This command is not supported by directory buckets.

Enabling Bucket Encryption Using AWS CLI (s3api)

Request sample
$ aws s3api put-bucket-encryption \
    --profile YOUR_PROFILE \
    --debug \
    --bucket BUCKET \
    --content-md5 "1B2M2Y8AsgTpgAmY7PhCfg==" \
    --server-side-encryption-configuration file://path/to/configuration/file \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following options that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI.

  • bucket: The name of the bucket for which you want to enable encryption.

  • (optional) debug: When included, returns a detailed log of the operation. This is useful to analyze and troubleshoot issues you may be encountering.

  • server-side-encryption-configuration: The path to the JSON configuration file containing the rules to apply to your objects. For more information on how to write this file, see Bucket Encryption Configuration Reference.

  • (optional) content-md5: Provides a base64-encoded MD5 checksum of the configuration file to ensure the integrity of the data being sent. This value is verified against the MD5 of the payload it receives; if they do not match, the operation fails.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The bucket encryption is enabled.

Disabling Bucket Encryption Using AWS CLI (s3api)

Request sample
$ aws s3api delete-bucket-encryption \
    --profile YOUR_PROFILE \
    --bucket BUCKET \
    --debug \
    --endpoint https://oos.eu-west-2.outscale.com

This command contains the following options that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • bucket: The name of the bucket for which you want to disable encryption.

  • (optional) debug: When included, returns a detailed log of the operation. This is useful to analyze and troubleshoot issues you may be encountering.

  • endpoint: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.

The bucket encryption is disabled.

Related Pages

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.

Export to PDF