Oracle Cloud Infrastructure Documentation

Re-encrypting an Object Storage Object

Re-encrypt an object's data encryption keys with a different master encryption key in an Object Storage bucket.

You can re-encrypt the data encryption keys that encrypt an object by re-encrypting the object's data encryption keys with the latest version of the master encryption key assigned to the bucket. This re-encryption is possible whether it's an Oracle managed key or a key in a vault that you manage. You can also re-encrypt the object's data encryption keys with a different key in a vault or a different SSE-C key. If you use SSE-C keys, you must provide the SSE-C key during the object decryption and subsequent re-encryption process, as appropriate.

To re-encrypt an object, you need OBJECT_READ and OBJECT_OVERWRITE permissions. To re-encrypt an object that you encrypted with an SSE-C key, you must use the CLI to provide the SSE-C key to Object Storage for use during decryption and re-encryption, as appropriate.

If you receive an error, verify that you have the correct permissions. If you have access to the object, confirm that the object exists and hasn't recently been deleted. If you have permissions and the object exists, also confirm whether the object is encrypted with an SSE-C key.

For more information, see Object Storage Data Encryption.

    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
    2. Select the compartment from the list under List Scope. All buckets in that compartment are listed in tabular form.
    3. Click the bucket whose object you want to re-encrypt. The bucket's Details page appears.
    4. Click Objects under Resources. The Objects list appears. All folders and objects are listed in tabular form.
    5. Click the Actions menu (Actions Menu) next to the object name, and select Re-encrypt. The Re-encrypt Object dialog box appears.
    6. Perform one of the following tasks, depending on whether the key assigned to the bucket is an Oracle-managed key or a key in a vault that you manage:

      • For buckets encrypted with an Oracle-managed key, you can re-encrypt the object with the latest version of that key by clicking Use the key assigned to the bucket. Or, you can re-encrypt the object with a key in a vault by clicking Use a customer-managed key and then choosing a key from a compartment and vault that you have access to.

      • For buckets encrypted with a customer-managed key, you can re-encrypt the object with the latest version of that key by clicking Use the key assigned to the bucket. Or, you can re-encrypt the object with a different Vault key by clicking Use a different customer-managed key and then choosing another key from a compartment and vault that you have access to.

    7. Click Re-encrypt.

  • Use the oci os object reencrypt command and required parameters to re-encrypt an object's data encryption keys with the latest key version of the key assigned to the bucket:

    oci os object reencrypt --bucket-name bucket_name --name object_name

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt

    The object's data encryption keys are re-encrypted with no further information returned.

    Encryption Using an SSE-C Key

    You can re-encrypt an object's data encryption keys with an SSE-C key .

    oci os object reencrypt --bucket-name bucket_name --name object_name --encryption-key-file file_containing_base64-encoded_AES-256_key

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --encryption-key-file MySSE-CKey

    If the object's data encryption keys are currently encrypted with an SSE-C key, include the source-encryption-key-file parameter to also provide the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.

    oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey

    If the object is currently encrypted with an SSE-C key, and you want to encrypt the object's data encryption keys with a different SSE-C key, provide the file name of each key.

    oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key_currently_assigned --encryption-key-file file_containing_base64-encoded_AES-256_key_desired

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --encryption-key-file MyNewSSE-CKey

    Encryption Using a Vault Key

    To re-encrypt an object's data encryption keys with a specific Vault key, include the kms-key-id parameter.

    oci os object reencrypt --bucket-name bucket_name --name object_name --kms-key-id kms_key_OCID

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --kms-key-id ocid1.key.region1.sea.exampleaaacu2..exampleuniqueID

    Encryption Using Both SSE-C and Vault Keys

    If the key is encrypted with an SSE-C key and you are re-encrypting an object's data encryption keys with a specific Vault key, you must include the source-encryption-key-file parameter that provides the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.

    oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key --kms-key-id kms_key_OCID

    For example:

    oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --kms-key-id ocid1.key.region1.sea.exampleaaacu2..exampleuniqueID

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the ReencryptObject operation to re-encrypt an object's data encryption keys with the latest key version of the key assigned to the bucket.

    Object Storage prepends the Object Storage namespace string and bucket name to the object name when constructing a URL for use with the API:

    /n/object_storage_namespace/b/bucket/o/object_name

    The object name is everything after the /o/, which could include hierarchy levels and prefix strings.