Re-encrypting an Object Storage Bucket's Data Encryption Keys

• Console
• CLI
• API

• 1. On the Buckets list page, select the Object Storage bucket that you want to work with. If you need help finding the list page or the Object Storage bucket, see Listing Buckets.
  2. On the details page, select Re-encrypt.
     Note
     
     

     If the Re-encrypt button isn't enabled, either the bucket is using a master encryption key managed by Oracle rather than a Vault master encryption, or the bucket doesn't contain any objects.

  3. When prompted, confirm the re-encryption. Selecting Re-encrypt generates a work request to re-encrypt all data encryption keys associated with the bucket.

  The Work Requests Details dialog box that displays information about the work request, including the percentage completed and the work request OCID. You can copy the work request OCID to monitor the request status later.

• Use the oci os bucket reencrypt command and required parameters to re-encrypt the unique data encryption key that encrypts each object written to the bucket by using the most recent version of the master encryption key assigned to the bucket.

  oci os bucket reencrypt --name bucket_name [OPTIONS]

  For example:

  
  oci os bucket reencrypt --name MyBucket

  For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

• Run the ReencryptBucket operation to re-encrypt the unique data encryption key that encrypts each object written to the bucket by using the most recent version of the master encryption key assigned to the bucket.

  When accessing the Object Storage API, the bucket name is used with the Object Storage namespace name to form the request URL:

  n/object_storage_namespace/b/bucket