Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

mc encrypt

Table of Contents

Description

The mc encrypt mc sets, updates, or disables the default bucket Server-Side Encryption (SSE) mode. MinIO automatically encrypts objects using the specified SSE mode.

For more information on configuring SSE, see Encryption and Key Management

Behavior

mc encrypt makes no assumptions about the MinIO server’s current encryption state. Specifying default encryption settings which the server cannot support may result in undesired behavior.

Setting or modifying the default server-side encryption settings does not automatically encrypt or decrypt the existing bucket contents. If the bucket contents must have consistent encryption, use the mc mv mc with the --encrypt or --encrypt-key arguments to manually modify the encryption settings or encrypted state of the bucket contents before changing the bucket default.

Syntax

mc encrypt set

Sets the default encryption settings for the bucket. The command has the following syntax:

mc encrypt set ENCRYPTION [KMSKEY] TARGET

The mc requires the following arguments:

ENCRYPTION

Specify the server-side encryption type to use as the default SSE mode. Supports the following values:

  • sse-kms - SSE using a Key Management System (KMS).

  • sse-s3 - SSE using client-provided keys (SSE-C).

KMSKEY

Specify the KMS Master Key to use for performing SSE object encryption. Only required if ENCRYPTION is sse-kms.

TARGET

The full path to the bucket on which to set the default SSE mode. Specify the alias of a configured S3 service as the prefix to the TARGET path. For example:

mc encrypt set ENCRYPTION [KMSKEY] play/mybucket
mc encrypt clear

Removes the default encryption settings for the bucket. The command has the following syntax:

mc encrypt clear TARGET

The command requires the following argument:

TARGET

The full path to the bucket on which to clear the default SSE mode. Specify the alias of a configured S3 service as the prefix to the TARGET path. For example:

mc encrypt remove play/mybucket
mc encrypt info

Returns the current default bucket encryption settings. The command has the following syntax:

mc encrypt info TARGET

The command requires the following argument:

TARGET

The full path to the bucket on which to return the default SSE mode. Specify the alias of a configured S3 service as the prefix to the TARGET path. For example:

mc encrypt remove play/mybucket