Enabling server-side encryption with object native encryption (SSE-ONE) using the AWS CLI

Reviewed on February 03, 2026

This page explains how to use SSE-ONE with the AWS CLI. To use it with the Scaleway console, refer to the dedicated documentation.

Server-Side Encryption with Object Native Encryption (SSE-ONE) is an encryption method provided by Scaleway Object Storage to protect your data at rest. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with Scaleway managing encryption keys (AES-256).

By default, SSE-ONE is applied per-upload, meaning that you must specify the encryption parameter for each PutObject operation. However, you can enable SSE-ONE on a bucket, so that each object uploaded is automatically encrypted at rest with an individual encryption key. Scaleway manages the creation, lifecycle, and deletion of encryption keys.

Scaleway SSE-ONE behaves similarly to Server Side Encryption with Amazon S3 managed keys (SSE-S3).

Note

Scaleway also supports SSE-C. Refer to the dedicated documentation for more information.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
An Object Storage bucket
Installed and initialized the AWS CLI

Enabling SSE-ONE on a bucket

Objects uploaded after enabling SSE-ONE are automatically encrypted. However, objects existing in the bucket before enabling SSE-ONE will not be encrypted, as encryption occurs during object upload.

In a terminal, run the command below to enable SSE-ONE on the target bucket. Make sure to replace <your-bucket-name> with the correct value.

aws s3api put-bucket-encryption \
--bucket <your-bucket-name> \
--server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
            }
        }
    ]
  }'

Run the command below to ensure the encryption was properly applied. Do not forget to replace <your-bucket-name> with the correct value.

aws s3api get-bucket-encryption --bucket <your-bucket-name>

An output similar to the following displays:

{
  "ServerSideEncryptionConfiguration": {
    "Rules": [
      {
        "ApplyServerSideEncryptionByDefault": {
          "SSEAlgorithm": "AES256"
        },
        "BucketKeyEnabled": false
      }
    ]
  }
}

SSE-ONE is enabled on your bucket. Each object uploaded from now on will be automatically encrypted using AES-256 keys managed by Scaleway.

Disabling SSE-ONE on a bucket

Objects uploaded after disabling SSE-ONE will not be automatically encrypted. However, objects existing in the bucket before disabling SSE-ONE will remain encrypted, as encryption occurs during object upload.

Run the command below in a terminal to disable SSE-ONE on the target bucket. Make sure to replace <your-bucket-name> with the correct value.
```
aws s3api delete-bucket-encryption --bucket <your-bucket-name>
```
Run the following command to ensure the encryption was properly disabled. Do not forget to replace <your-bucket-name> with the correct value.
```
aws s3api get-bucket-encryption --bucket <your-bucket-name>
```
An output similar to the following displays:
```
{
  "ServerSideEncryptionConfiguration": {}
}
```

SSE-ONE is now disabled, and can be enabled again at any time.

Still need help?

Create a support ticket