- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Console Guide
- Console Overview
- Bucket Management
- Bucket Overview
- Creating Buckets
- Deleting Buckets
- Querying Buckets
- Empty Buckets
- Setting Access Permission
- Setting Bucket Encryption
- Setting Hotlink Protection
- Setting Origin-Pull
- Setting Cross-Origin Access
- Setting Versioning
- Setting up a Static Website
- Setting Lifecycle
- Setting Logging
- Accessing Bucket List Using Sub-Account
- Adding Bucket Policies
- Setting INTELLIGENT TIERING
- Enabling Inventory
- Domain Name Management
- Setting Bucket Tags
- Setting Cross-Bucket Replication
- Enabling Global Acceleration
- Object Management
- Uploading Objects
- Downloading Objects
- Copying Objects
- Viewing Object Information
- Searching for Objects
- Sorting and Filtering Objects
- Direct Upload Archiving
- Modifying Storage Class
- Deleting File Fragments
- Setting Object Access Permission
- Setting Object Encryption
- Custom Headers
- Deleting Objects
- Restoring an Archived Object
- Folder Management
- Data Extraction
- Setting Object Tags
- Batch Operation
- Monitoring Reports
- Data Processing
- Application Integration
- User Tools
- Best Practice
- Overview
- Access Control and Permission Management
- ACL Practices
- Cloud Access Management Practices
- Granting Sub-accounts Access to COS
- Cases of Permission Setting
- Working with COS API Access Policies
- Temporary Key Security Guide for Frontend Direct Upload to COS
- Generating and Using Temporary Keys
- Grant Sub-account Permissions to Pull Tag List
- Granting Sub-account Under One Root Account Permission to Manipulate Buckets Under Another Root Account
- Performance Optimization
- Data Migration
- Accessing COS Using the AWS S3 SDK
- Data Disaster Recovery and Backup
- Direct Data Upload
- Domain Name Management Practice
- Data Security
- Data Verification
- Big Data Practice
- Using COS in the Third-party Applications
- Introduction to COS Data Security Solution
- Developer Guide
- Creating Request
- Bucket
- Object
- Data Management
- Data Disaster Recovery
- Data Security
- Cloud Access Management (CAM)
- Batch Processing
- Monitoring and Alarms
- Global Acceleration
- Data Processing
- Troubleshooting
- API Documentation
- Introduction
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Operation List
- Service APIs
- Bucket APIs
- Basic Operations
- Access Control List (acl)
- Cross-Origin Resource Sharing (cors)
- Lifecycle
- Bucket Policy (policy)
- Hotlink Protection (referer)
- Tag (tagging)
- Static Website (website)
- Intelligent Tiering
- Bucket inventory(inventory)
- Versioning
- Cross-Bucket Replication(replication)
- Log Management(logging)
- Global Acceleration (Accelerate)
- Bucket Encryption (encryption)
- Object APIs
- Batch Operation APIs
- Data Processing APIs
- SDK Documentation
- SDK Overview
- Preparations
- Android SDK
- Object Operations
- Uploading and Copying Objects
- Downloading Objects
- Listing Objects
- Deleting an Object
- Restoring an Archived Object
- Querying Object Metadata
- Generating a Pre-signed Link
- Configuring Preflight Requests for Cross-origin Access
- Moving an Object
- Server-Side Encryption
- Single-Connection Bandwidth Limit
- Extracting Object Content
- Getting Started
- Quick Experience
- Bucket Operations
- Remote Disaster Recovery
- Data Management
- Cloud Access Management
- Setting Custom Headers
- Setting Access Domain Names
- Image Processing
- Troubleshooting
- Object Operations
- C SDK
- C++ SDK
- .NET(C#) SDK
- Getting Started
- Bucket Operations
- Object Operations
- Uploading and Copying Objects
- Moving an Object
- Downloading Objects
- Listing Objects
- Deleting Objects
- Restoring Archived Objects
- Querying Object Metadata
- Generating Pre-Signed URLs
- Configuring Preflight Requests for Cross-Origin Access
- Server-Side Encryption
- Single-Connection Bandwidth Limit
- Extracting Object Content
- Cross-Region Disaster Recovery
- Data Management
- Cloud Access Management
- Image Processing
- Setting Custom Headers
- Setting Access Endpoints
- Troubleshooting
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- Mini Program SDK
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Console Guide
- Console Overview
- Bucket Management
- Bucket Overview
- Creating Buckets
- Deleting Buckets
- Querying Buckets
- Empty Buckets
- Setting Access Permission
- Setting Bucket Encryption
- Setting Hotlink Protection
- Setting Origin-Pull
- Setting Cross-Origin Access
- Setting Versioning
- Setting up a Static Website
- Setting Lifecycle
- Setting Logging
- Accessing Bucket List Using Sub-Account
- Adding Bucket Policies
- Setting INTELLIGENT TIERING
- Enabling Inventory
- Domain Name Management
- Setting Bucket Tags
- Setting Cross-Bucket Replication
- Enabling Global Acceleration
- Object Management
- Uploading Objects
- Downloading Objects
- Copying Objects
- Viewing Object Information
- Searching for Objects
- Sorting and Filtering Objects
- Direct Upload Archiving
- Modifying Storage Class
- Deleting File Fragments
- Setting Object Access Permission
- Setting Object Encryption
- Custom Headers
- Deleting Objects
- Restoring an Archived Object
- Folder Management
- Data Extraction
- Setting Object Tags
- Batch Operation
- Monitoring Reports
- Data Processing
- Application Integration
- User Tools
- Best Practice
- Overview
- Access Control and Permission Management
- ACL Practices
- Cloud Access Management Practices
- Granting Sub-accounts Access to COS
- Cases of Permission Setting
- Working with COS API Access Policies
- Temporary Key Security Guide for Frontend Direct Upload to COS
- Generating and Using Temporary Keys
- Grant Sub-account Permissions to Pull Tag List
- Granting Sub-account Under One Root Account Permission to Manipulate Buckets Under Another Root Account
- Performance Optimization
- Data Migration
- Accessing COS Using the AWS S3 SDK
- Data Disaster Recovery and Backup
- Direct Data Upload
- Domain Name Management Practice
- Data Security
- Data Verification
- Big Data Practice
- Using COS in the Third-party Applications
- Introduction to COS Data Security Solution
- Developer Guide
- Creating Request
- Bucket
- Object
- Data Management
- Data Disaster Recovery
- Data Security
- Cloud Access Management (CAM)
- Batch Processing
- Monitoring and Alarms
- Global Acceleration
- Data Processing
- Troubleshooting
- API Documentation
- Introduction
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Operation List
- Service APIs
- Bucket APIs
- Basic Operations
- Access Control List (acl)
- Cross-Origin Resource Sharing (cors)
- Lifecycle
- Bucket Policy (policy)
- Hotlink Protection (referer)
- Tag (tagging)
- Static Website (website)
- Intelligent Tiering
- Bucket inventory(inventory)
- Versioning
- Cross-Bucket Replication(replication)
- Log Management(logging)
- Global Acceleration (Accelerate)
- Bucket Encryption (encryption)
- Object APIs
- Batch Operation APIs
- Data Processing APIs
- SDK Documentation
- SDK Overview
- Preparations
- Android SDK
- Object Operations
- Uploading and Copying Objects
- Downloading Objects
- Listing Objects
- Deleting an Object
- Restoring an Archived Object
- Querying Object Metadata
- Generating a Pre-signed Link
- Configuring Preflight Requests for Cross-origin Access
- Moving an Object
- Server-Side Encryption
- Single-Connection Bandwidth Limit
- Extracting Object Content
- Getting Started
- Quick Experience
- Bucket Operations
- Remote Disaster Recovery
- Data Management
- Cloud Access Management
- Setting Custom Headers
- Setting Access Domain Names
- Image Processing
- Troubleshooting
- Object Operations
- C SDK
- C++ SDK
- .NET(C#) SDK
- Getting Started
- Bucket Operations
- Object Operations
- Uploading and Copying Objects
- Moving an Object
- Downloading Objects
- Listing Objects
- Deleting Objects
- Restoring Archived Objects
- Querying Object Metadata
- Generating Pre-Signed URLs
- Configuring Preflight Requests for Cross-Origin Access
- Server-Side Encryption
- Single-Connection Bandwidth Limit
- Extracting Object Content
- Cross-Region Disaster Recovery
- Data Management
- Cloud Access Management
- Image Processing
- Setting Custom Headers
- Setting Access Endpoints
- Troubleshooting
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- Mini Program SDK
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
Overview
Once a bucket is configured for encryption, all objects uploaded to the bucket thereafter will be encrypted by default with the specified encryption method.
Currently supported encryption methods include:
- SSE-COS encryption: server-side encryption using COS-managed encryption keys
For more information on server-side encryption, please see Server-side Encryption Overview.
Directions
Via the COS Console
You can set bucket encryption in the COS Console. For more information, please see Setting Bucket Encryption in Console Guide.
Via REST API
You can configure bucket encryption using the following APIs:
Notes
Uploading objects to an encrypted bucket
For buckets requiring encryption, note the following:
- Configuring encryption for a bucket will not lead to encryption operations on objects that already exist in it.
- After encryption is configured for a bucket, for objects uploaded to the bucket:
- If your PUT request does not contain encryption information, the uploaded objects will be encrypted with the encryption configuration of the bucket.
- If your PUT request contains encryption information, the uploaded objects will be encrypted with the contained encryption information.
- After encryption is configured for a bucket, for inventory reports delivered to the bucket:
- If encryption is not configured for the inventory, the delivered reports will be encrypted with the encryption configuration of the bucket.
- If encryption is configured for the inventory, the delivered reports will be encrypted with the encryption configuration of the inventory.
- After encryption is configured for the bucket, the data pulled back to the bucket will be encrypted with the encryption configuration of the bucket by default.
Encrypting buckets that have cross-region replication rules configured
For the destination bucket that has a cross-region replication rule configured, if you configure encryption for it, note the following:
- If the objects in the source bucket are not encrypted, the object copies in the destination bucket will be encrypted by default.
- If the objects in the source bucket are encrypted, the object copies in the destination bucket will inherit the encryption from the source bucket, and the bucket encryption settings will not be honored.
Yes
No
Was this page helpful?