Object Storage now supports SSE-KMS Bucket Keys, giving customers another way to use customer-managed Vault keys while optimizing performance for demanding workloads. Object-level SSE-KMS remains the strongest fit when customers want each object operation to interact directly with KMS for granular encryption control. For high-throughput buckets, Bucket Keys build on SSE-KMS by reducing repeated calls from Object Storage to Vault Key Management Service (KMS), helping lower PUT and GET latency and reducing the likelihood of KMS throttling at high request rates.

Addressing a Growing Performance Problem

Object Storage encrypts every object with a unique data encryption key. When a bucket uses server-side encryption with a customer-managed Vault key, KMS plays an important role in protecting those object data encryption keys.

This model gives you direct control over the lifecycle of encryption keys while maintaining strong protection for Object Storage data. For very high-throughput workloads, each object access can involve a KMS operation, so performance planning should account for KMS request rates and latency. This is especially important for analytics and AI/ML workloads that repeatedly access large numbers of objects at scale.

SSE-KMS Bucket Keys help address this at the bucket level by using a bucket-scoped intermediate encryption key that is protected by the customer’s KMS key. Object Storage can use the Bucket Key to wrap data encryption keys for eligible objects, reducing the need for per-object KMS calls while preserving SSE-KMS semantics.

object storage bucket level encryption diagram

Benefits of Bucket Level Keys

Lower Latency

Reducing KMS interactions removes a source of overhead from eligible PUT and GET operations. This helps improve response times and makes performance more predictable as request rates grow.

Reduced Likelihood of KMS Throttling

Active buckets can generate significant KMS traffic. Bucket Keys reduce that traffic, helping workloads sustain higher object request rates without KMS becoming a bottleneck.

Better Support for Analytics and AI/ML

Modern data platforms often access many objects in parallel. AI training, checkpoint processing, inference pipelines, and large analytics jobs can all benefit from reducing encryption-related dependencies in the request path.

Continued Control of Encryption Keys

The customer-managed Vault key remains the root of protection for the Bucket Key. You can continue to own and manage your KMS keys in your OCI tenancy while benefiting from a more efficient encryption workflow.

No Application Changes

Bucket Key is configured on the Object Storage bucket. Applications continue to use the same Object Storage interfaces and workflows, making the feature practical for both new and existing architectures.

When to Consider Bucket Level Keys

Bucket Keys are a strong fit for high-throughput Object Storage workloads that require customer-managed encryption via Vault keys with fewer KMS calls and lower latency. Consider this feature when:

  • Analytics jobs perform large numbers of parallel READ and/or WRITE operations.
  • AI/ML pipelines repeatedly load training data, models, or checkpoints.
  • KMS request rates are becoming a performance-planning concern.
  • You are designing a new data platform that is expected to scale significantly over time.

Bucket Keys balance security granularity and performance. Object-level SSE-KMS provides the greatest key isolation, SSE-KMS with Bucket Keys reduces KMS dependency, and Oracle-managed keys offer the simplest operational model. Choose based on your security, compliance, throughput, and latency requirements.

Bucket Key is opt-in for each bucket and disabled by default. This lets you enable it selectively for the workloads that benefit most while leaving other bucket configurations unchanged.

A Simple Adoption Approach

Start by identifying high-throughput buckets that use, or will use, a customer-managed OCI Vault key. Confirm that the required Vault key and IAM permissions are in place, then enable Bucket Key for the selected bucket.

New objects written after enablement can use Bucket Key wrapping. Existing objects retain their previous wrapping until bucket re-encryption is run. For established buckets, include that migration decision in the rollout plan so that the behavior of both new and existing data is understood.

Bucket Keys are also supported for buckets in Security Zones when the bucket uses a customer-managed Vault key. Existing Security Zones requirements, including private bucket access and customer-managed encryption, continue to apply.

Get Started Today

Bucket Keys give you a straightforward way to combine customer-controlled encryption with the performance needs of high-throughput Object Storage workloads.

To learn more, start with our encryption documentation and begin using Bucket Keys today.

References