Oracle Cloud Infrastructure Documentation

Re-encrypting an Object

To encrypt and decrypt an object's data encryption keys with a different master encryption key, you can re-encrypt the object in Object Storage.

For more information, see Encrypting Data.

Tip

To re-encrypt an object, you need OBJECT_READ and OBJECT_OVERWRITE permissions. To re-encrypt an object that you encrypted with an SSE-C key, you must use the CLI to provide the SSE-C key to Object Storage for use during decryption and re-encryption, as appropriate.
    1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
    2. Choose the compartment that contains the bucket, and then click the name of the bucket that contains the object.
    3. In the Objects table, expand folders and subfolders as needed to find the object that you want to re-encrypt.
    4. Click the Actions menu to the right of the object name, and select Re-encrypt.
    5. Perform one of the following, depending on whether the key assigned to the bucket is an Oracle-managed key or a key in a vault that you manage:
      • For buckets encrypted with an Oracle-managed key, you can re-encrypt the object with the latest version of that key by clicking Use the key assigned to the bucket. Or, you can re-encrypt the object with a key in a vault by clicking Use a customer-managed key and then choosing a key from a compartment and vault that you have access to.
      • For buckets encrypted with a customer-managed key, you can re-encrypt the object with the latest version of that key by clicking Use the key assigned to the bucket. Or, you can re-encrypt the object with a different Vault key by clicking Use a different customer-managed key and then choosing another key from a compartment and vault that you have access to.
    6. Click Re-encrypt to re-encrypt all data encryption keys associated with the object.

    If you receive an error, verify that you have the correct permissions. If you have access to the object, confirm that the object exists and has not recently been deleted. If you have permissions and the object exists, also confirm whether the object is encrypted with an SSE-C key. To re-encrypt an object that you encrypted with an SSE-C key, you must use the CLI to provide the SSE-C key to the Object Storage service for use during decryption and re-encryption, as appropriate.

  • Tip

    You need OBJECT_READ and OBJECT_OVERWRITE permissions to re-encrypt an object.

    You can re-encrypt the data encryption keys that encrypt an object. You can do so by re-encrypting the object's data encryption keys with the latest version of the master encryption key assigned to the bucket, whether it's an Oracle managed key or a key in a vault that you manage. You can also re-encrypt the object's data encryption keys with a different key in a vault or a different SSE-C key. If you use SSE-C keys, you must provide the SSE-C key during the object decryption and subsequent re-encryption process, as appropriate.

    You can re-encrypt an object's data encryption keys with the latest key version of the key assigned to the bucket.

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt

    The object's data encryption keys are re-encrypted with no further information returned.

    If the object's data encryption keys are currently encrypted with an SSE-C key, you must also provide the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name> --source-encryption-key-file <name_of_file_containing_base64-encoded_AES-256_key>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey

    You can re-encrypt an object's data encryption keys with a specific Vault key.

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name> --kms-key-id <key_OCID>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq

    Again, if the key is currently encrypted with an SSE-C key, you must also provide the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name> --source-encryption-key-file <name_of_file_containing_base64-encoded_AES-256_key> --kms-key-id <key_OCID>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --kms-key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq

    You can re-encrypt an object's data encryption keys with an SSE-C key .

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name> --encryption-key-file <name_of_file_containing_base64-encoded_AES-256_key>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt --encryption-key-file MySSE-CKey

    If the object is currently encrypted with an SSE-C key, and you want to encrypt the object's data encryption keys with a different SSE-C key, provide the file name of each key.

    oci os object reencrypt --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <object_name> --source-encryption-key-file <name_of_file_containing_base64-encoded_AES-256_key_currently_assigned> --encryption-key-file <name_of_file_containing_base64-encoded_AES-256_key_desired>

    For example:

    oci os object reencrypt --namespace MyNamespace --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --encryption-key-file MyNewSSE-CKey

  • For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

    Object Storage prepends the Object Storage namespace string and bucket name to the object name when constructing a URL for use with the API: 
    /n/<object_storage_namespace>/b/<bucket>/o/<object_name>

    The object name is everything after the /o/, which could include hierarchy levels and prefix strings.

    Use the following API operations to manage objects:

    ReencryptObject