How Do I Access or Download an Encrypted Object?

Encrypting an Object

Method 1: Enable default encryption when you create a bucket. Then, all types of objects uploaded to the bucket will be automatically encrypted with the specified encryption method and key during bucket creation.

Method 2: Specify an encryption method and key type when you upload an object.

Accessing or Downloading an Encrypted Object

When an object is encrypted with SSE-OBS, configure a public read policy (which grants anonymous users access to an object) for the object and then you can directly access this object.

When an object is encrypted with SSE-C, it cannot be accessed directly, even if it has a public read policy (which grants anonymous users access to an object) configured. Whereas, you can call an API to access or download the object. For details, see Downloading Objects.

When an object is encrypted with SSE-KMS, it cannot be accessed directly, even if it has a public read policy (which grants anonymous users access to an object) configured. To access or download an encrypted object, use either of the following methods:

Method 1: Access the encrypted object as a user with the KMS CMKFullAccess permission. The region where your KMS CMKFullAccess permission applies must be the one where the bucket storing the object is located. For details about how to grant users the KMS CMKFullAccess permission, see Assigning Permissions to an IAM User.

Method 2: Use the temporary URL generated by sharing the encrypted object. When you use the shared URL for access, the server automatically decrypts the object.

For example, if you want your encrypted object (such as a video or audio file) to be accessed by anonymous users, you can share your object and send the generated URL to others. For details about object sharing, see Sharing a File.