Skip to main content


4.1.2 Encrypt Object Storage Buckets with a Customer Managed Key (CMK) (Automated)


Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). Object Storage buckets are by default encrypted with an Oracle managed key.


From Console:

  1. Login to OCI Console.

  2. Select Storage from the Services menu.

  3. Select Buckets from under the Object Storage & Archive Storage section.

  4. Click an individual bucket under the Name heading.

  5. Click Assign next to Encryption Key: Oracle managed key.

  6. Select a Vault.

  7. Select a Master Encryption Key.

  8. Click Assign.

From CLI:

  1. Execute the following command:

    oci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>


Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize Object Storage service to use keys on your behalf.

Required Policy:

Allow service objectstorage-<region_name>, to use keys in compartment <compartment-id> where = <key_ocid>