Assigning a Key to an Object Storage Bucket
Assign a Vault master encryption key to an Object Storage bucket.
You can encrypt the data encryption keys that encrypt the objects in a bucket by using your own Vault master encryption key. By default, buckets are encrypted with keys managed by Oracle. For more information, see Object Storage Data Encryption and Overview of Vault
Important
Buckets in a security zone can't use the default encryption key managed by Oracle. You must use your own Vault master encryption key.
Buckets in a security zone can't use the default encryption key managed by Oracle. You must use your own Vault master encryption key.
Use the oci os bucket update command and required parameters to assign a Vault key to a bucket.
oci os bucket update --name bucket_name --kms-key-id kms_key_id [OPTIONS]
where
kms_key_id
is the OCID of the key versions that contain the cryptographic material used to encrypt and decrypt data, protecting the data where the data is stored.For example:
If you're updating the key, run the same oci os bucket update command with the updated kms_key_id value.oci os bucket update --name MyKeyBucket --kms-key-id ocid1.key.region1.sea..exampleuniqueID { "data": { "approximate-count": null, "approximate-size": null, "auto-tiering": null, "compartment-id": "ocid.compartment.oc1..exampleuniqueID", "created-by": "ocid1.user.oc1..exampleuniqueID", "defined-tags": {}, "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32", "freeform-tags": {}, "id": "ocid1.bucket.oc1..exampleuniqueID", "is-read-only": false, "kms-key-id": "ocid1.key.region1.sea..exampleuniqueID", "metadata": {}, "name": "MyKeyBucket", "namespace": "MyNamespace", "object-events-enabled": false, "object-lifecycle-policy-etag": null, "public-access-type": "NoPublicAccess" "replication-enabled": false, "storage-tier": "Standard", "time-created": "2020-06-29T23:00:35.490000+00:00", "versioning": "Disabled" }, "etag": "e7f29fdd-b5f5-42e5-a98b-80883f9f2f32" }
See Overview of Vault for more details.
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
This task can't be performed using the API.