Re-encrypting an Object Storage Object
Re-encrypt an object's data encryption keys with a different master encryption key in an Object Storage bucket.
You can re-encrypt the data encryption keys that encrypt an object by re-encrypting the object's data encryption keys with the latest version of the master encryption key assigned to the bucket. This re-encryption is possible whether it's an Oracle managed key or a key in a vault that you manage. You can also re-encrypt the object's data encryption keys with a different key in a vault or a different SSE-C key. If you use SSE-C keys, you must provide the SSE-C key during the object decryption and subsequent re-encryption process, as appropriate.
To re-encrypt an object, you need OBJECT_READ and OBJECT_OVERWRITE permissions. To re-encrypt an object that you encrypted with an SSE-C key, you must use the CLI to provide the SSE-C key to Object Storage for use during decryption and re-encryption, as appropriate.
If you receive an error, verify that you have the correct permissions. If you have access to the object, confirm that the object exists and hasn't recently been deleted. If you have permissions and the object exists, also confirm whether the object is encrypted with an SSE-C key.
For more information, see Object Storage Data Encryption.
Use the oci os object reencrypt command and required parameters to re-encrypt an object's data encryption keys with the latest key version of the key assigned to the bucket:
oci os object reencrypt --bucket-name bucket_name --name object_name
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt
The object's data encryption keys are re-encrypted with no further information returned.
Encryption Using an SSE-C Key
You can re-encrypt an object's data encryption keys with an SSE-C key .
oci os object reencrypt --bucket-name bucket_name --name object_name --encryption-key-file file_containing_base64-encoded_AES-256_key
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --encryption-key-file MySSE-CKey
If the object's data encryption keys are currently encrypted with an SSE-C key, include the
source-encryption-key-file
parameter to also provide the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey
If the object is currently encrypted with an SSE-C key, and you want to encrypt the object's data encryption keys with a different SSE-C key, provide the file name of each key.
oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key_currently_assigned --encryption-key-file file_containing_base64-encoded_AES-256_key_desired
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --encryption-key-file MyNewSSE-CKey
Encryption Using a Vault Key
To re-encrypt an object's data encryption keys with a specific Vault key, include the
kms-key-id
parameter.oci os object reencrypt --bucket-name bucket_name --name object_name --kms-key-id kms_key_OCID
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --kms-key-id ocid1.key.region1.sea.exampleaaacu2..exampleuniqueID
Encryption Using Both SSE-C and Vault Keys
If the key is encrypted with an SSE-C key and you are re-encrypting an object's data encryption keys with a specific Vault key, you must include the
source-encryption-key-file
parameter that provides the name of the file that contains the base64-encoded string of the AES-256 source encryption key to first decrypt the object.oci os object reencrypt --bucket-name bucket_name --name object_name --source-encryption-key-file file_containing_base64-encoded_AES-256_key --kms-key-id kms_key_OCID
For example:
oci os object reencrypt --bucket-name MyBucket --name MyFile.txt --source-encryption-key-file MySSE-CKey --kms-key-id ocid1.key.region1.sea.exampleaaacu2..exampleuniqueID
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the ReencryptObject operation to re-encrypt an object's data encryption keys with the latest key version of the key assigned to the bucket.
Object Storage prepends the Object Storage namespace string and bucket name to the object name when constructing a URL for use with the API:
/n/object_storage_namespace/b/bucket/o/object_name
The object name is everything after the
/o/
, which could include hierarchy levels and prefix strings.