Oracle Cloud Infrastructure Documentation

Assigning a Key to a Bucket

Assign a Vault master encryption key to a bucket. You can encrypt the data encryption keys that encrypt the objects in a bucket by using your own Vault master encryption key. By default, buckets are encrypted with keys managed by Oracle.

For more information, see Encrypting Data and Overview of Vault
Important

Buckets in a security zone can't use the default encryption key managed by Oracle. You must use your own Vault master encryption key.
    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.

      A list of the buckets in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

    2. Click the name of the bucket that you want to encrypt.
    3. For Encryption Key, perform one of the following actions:
      • If the bucket is encrypted with a key managed by Oracle, click Assign.
      • If the bucket already has a Vault master encryption key assigned, to assign a different key, click Edit.
    4. In the dialog box, provide or edit the following information:
      • The vault compartment and vault that contain the master encryption key you want to use. The current compartment is displayed by default.
      • The master encryption key compartment and master encryption key. The current compartment is displayed by default.
    5. Click Assign or Edit. 
  • oci os bucket create --namespace <object_storage_namespace> --name <bucket_name> --compartment-id <target_compartment_id> --kms-key-id <target_key_id>

    <target_key_id> is the ID of the key versions that contain the cryptographic material used to encrypt and decrypt data, protecting the data where the data is stored.

    For example:

    
oci os bucket create --namespace MyNamespace --name MyKeyBucket --compartment-id ocid.compartment.oc1..exampleuniqueID --kms-key-id ocid1.key.region1.sea..exampleuniqueID
{
  "data": {
    "approximate-count": null,
    "approximate-size": null,
    "auto-tiering": null,
    "compartment-id": "ocid.compartment.oc1..exampleuniqueID",
    "created-by": "ocid1.user.oc1..exampleuniqueID",
    "defined-tags": {},
    "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32",
    "freeform-tags": {},
    "id": "ocid1.bucket.oc1..exampleuniqueID",
    "is-read-only": false,
    "kms-key-id": "ocid1.key.region1.sea..exampleuniqueID",
    "metadata": {},
    "name": "MyKeyBucket",
    "namespace": "MyNamespace",
    "object-events-enabled": false,					
    "object-lifecycle-policy-etag": null,
    "public-access-type": "NoPublicAccess"
    "replication-enabled": false,
    "storage-tier": "Standard",
    "time-created": "2020-06-29T23:00:35.490000+00:00",
    "versioning": "Disabled"
  },
  "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32"
}

    See Overview for more details.

  • This task is not available in the API.