--- title: Access Key --- Access keys authenticate CLI and API requests to your EOS buckets. Each key is scoped to a specific bucket with a defined role, giving you fine-grained control over who can read, write, or manage your data. ## Create an Access Key You can create an access key from the **Permissions** tab in the bucket detail panel, or from the **Manage Access Keys** page. 1. Select your bucket from the **Manage Object Storage** list. 2. Click the **Permissions** tab. 3. Click **Create Access Key**. 4. Enter a name for the key (e.g., application name, team name). 5. Generate a new key or select an existing one. 6. Assign a role: | Role | Permissions | |---------------|-------------------------| | bucket admin | read, write, manage | | bucket writer | read, write | | bucket reader | read only | 7. Click **Save**. :::tip Use a short, recognizable name — you will type it for every CLI command that references this key. ::: :::warning The secret key is shown only once. Copy and store it securely before closing the dialog. ::: --- ## Manage Access Keys The **Manage Access Keys** page lists all keys across your buckets. To access it, click **Manage Access Keys** on the **Manage Object Storage** page. From this page you can: - **Lock** a key to immediately revoke access without deleting the key. - **Unlock** a previously locked key to restore access. - **Delete** a key to permanently remove it. To lock or unlock a key: 1. Click **Manage Access Keys** on the **Manage Object Storage** page. 2. Find the key by name. 3. Click the **Lock** or **Unlock** icon next to it. --- ## Public Access Config Public Access Config controls URL-based access to objects in a bucket, without requiring a key. Available modes: | Mode | Description | |---|---| | **Private** | No public access (default) | | **Download** | Anyone can download objects via URL | | **Upload** | Anyone can upload objects via URL | | **Upload & Download** | Both upload and download are publicly allowed | To configure it, click **Public Access Config** on the bucket and select the desired mode. --- ## Protect Bucket Data with Encryption (SSE-C) The procedure on this page configures and enables Server-Side Encryption with Client-Managed Keys (SSE-C). EOS SSE-C supports client-driven encryption of objects before writing the object to the drive. Clients must specify the correct key to decrypt objects for read operations. ### Prerequisites - The `mc` client must be installed. See [How to install mc](/docs/myaccount/storage/object_storage/work_cli#download-minio-client-mc). - The encryption key must be a **256-bit base64-encoded string**. - You are responsible for storing the key. If you lose it, the encrypted objects cannot be decrypted and the data is unrecoverable. ### Step 1: Generate the Encryption Key ```bash cat /dev/urandom | head -c 32 | base64 - ``` - It is important to notice that a 256-bit base64-encoded string should be used. - Save the output. This is your encryption key. ### Step 2: Upload an Object with Encryption ```bash mc cp ~/path/to/my_object.json ALIAS/BUCKET/my_object.json \ --encrypt-key "ALIAS/BUCKET/=ENCRYPTION_KEY" ``` Replace: - `ALIAS` — the mc alias configured for your EOS credentials - `BUCKET` — your bucket name - `ENCRYPTION_KEY` — the key generated in Step 1 ### Step 3: Copy an SSE-C Encrypted Object Between Two Buckets EOS also supports copying an SSE-C encrypted object to another S3-compatible service: ```bash mc cp SOURCE/BUCKET/mydata.json TARGET/BUCKET/mydata.json \ --encrypt-key \ "SOURCE/BUCKET/=ENCRYPTION_KEY","TARGET/BUCKET/=ENCRYPTION_KEY" ``` - Replace `ALIAS` with the key_name used while configuring the mc client on which you want to read and write the SSE-C encrypted object. - Replace source and destination `BUCKET` with the full path to the bucket or bucket prefix on which you want to read and write the SSE-C encrypted object. - Replace `ENCRYPTION_KEY` with the key generated in the first step. ### Considerations - SSE-C encrypted objects are not compatible with the EOS bucket replication feature. - Users manage a mapping of which encryption key was used to encrypt which object. E2E does not store encryption keys. You are responsible for tracking which encryption key you provided for which object. - If your bucket is versioning-enabled, each object version that you upload using this feature can have its own encryption key. You are responsible for tracking which encryption key was used for which object version. - For downloading an encrypted object, the encryption key is required. If the key is lost, the data cannot be downloaded and will be unrecoverable. E2E is not responsible for the loss of your data in this case. ### References - [MinIO SSE-C Quickstart](https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-c.html#quickstart) - [E2E Networks mc Client Guide](/docs/myaccount/storage/object_storage/work_cli#download-minio-client-mc) ---