mc encrypt set

The mc encrypt set encrypt command sets or updates the default bucket Server-Side Encryption (SSE) mode. AIStor automatically encrypts objects written to that bucket using the specified SSE mode.

mc encrypt set only supports SSE-KMS and SSE-S3.

Syntax

Example Syntax

The mc encrypt set command has the following syntax:

mc [GLOBALFLAGS] encrypt set ENCRYPTION TARGET

Brackets [] indicate optional parameters.
Parameters sharing a line are mutually dependent.
Parameters separated using the pipe | operator are mutually exclusive.

Copy the example to a text editor and modify as-needed before running the command in the terminal/shell.

Parameters

ENCRYPTION

Specify the server-side encryption type to use as the default SSE mode. Supports the following values:

SSE	Description
`sse-kms`	Encrypt objects using the key specified in `mc encrypt set KMSKEY`.
`sse-s3`	Encrypt objects using the key specified to `MINIO_KMS_KES_KEY_NAME`.

KMSKEY

Specify the KMS External Key to use for performing SSE-KMS object encryption.

Omit this option to direct AIStor to use the MINIO_KMS_KES_KEY_NAME for SSE-KMS encryption in the bucket.

ALIAS

The full path to the bucket on which to set the default SSE mode. Specify the alias of the AIStor deployment as the prefix to the TARGET path. For example:

mc encrypt set ENCRYPTION [KMSKEY] play/mybucket

Global Flags

This command supports any of the global flags.

Examples

Enable Automatic Server-Side Bucket Encryption

The following command sets the default encryption for the data bucket on the myminio AIStor deployment to SSE-KMS using the key minio-encryption-key:

The Object Store configuration supports SSE-KMS.
The root has an encryption key minio-encryption-key.

 mc encrypt set sse-kms minio-encryption-key myminio/data

Behavior

mc encrypt set makes no assumptions about the AIStor server’s current encryption state. Specifying default encryption settings which the server cannot support may result in undesired behavior.

Setting or modifying the default server-side encryption settings does not automatically encrypt or decrypt the existing bucket contents. If the bucket contents must have consistent encryption, use the mc mv command with --enc-kms or --enc-s3 to re-encrypt objects using SSE-KMS or SSE-S3 respectively. This manually modifies the encryption settings or encrypted state of the bucket contents before changing the bucket default.