Get an object's encryption information

Gets an object's encryption information.

You must have READ permission to get an object's encryption information.

Query string parameters

Parameter Description Required
encryption You can use this parameter to determine the type of encryption used on an object. If the encryption type is customer-managed or customer-supplied, this parameter also provides an identifier for the specific encryption key that was used. No

See signed URL query string parameters for information on the parameters you include when creating and using signed URLs.

Request headers

See common request headers.

Request body elements

This request does not include an XML document in the request body.

Request syntax

The following syntax applies to GET Object requests that use the encryption query string parameter.

GET /OBJECT_NAME?encryption HTTP/1.1
Host: BUCKET_NAME.storage.googleapis.com
Content-Length: 0
Content-Type: TYPE
Authorization: AUTHENTICATION_STRING

Response headers

The request can return a variety of response headers depending on the request headers you use, including: Cache-Control, Content-Length, Content-Type, Content-Disposition, ETag, and Last-Modified.

Response body elements

The following response body elements are applicable only if you use the encryption query string parameter.

Element Description
Encryption Container for the object's encryption information.
KmsKeyName Name of the Cloud Key Management Service key resource used to encrypt the object. Available only when the object is encrypted by a customer-managed encryption key.
CustomerEncryption Container for customer-supplied encryption information. Available only when the object is encrypted by a customer-supplied encryption key.
EncryptionAlgorithm The encryption algorithm in use for the customer-supplied encryption key.
KeySha256 An RFC 4648 base64-encoded string of the SHA256 hash for the customer-supplied encryption key.

Examples

The following example retrieves the encryption information for an object named tokyo.jpg encrypted by a customer-managed encryption key.

Request

GET /tokyo.jpg?encryption HTTP/1.1
Host: travel-maps.storage.googleapis.com
Content-Length: 0
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

Response

HTTP/1.1 200 OK
Content-Length: 164
Content-Type: application/xml; charset=UTF-8
Date: Tue, 01 Nov 2016 17:12:32 GMT

<?xml version="1.0" encoding="UTF-8"?>
<Encryption>
  <KmsKeyName>
    projects/my-project/locations/LOCATION/keyRings/RING_NAME/cryptoKeys/KEY_NAME
  </KmsKeyName>
</Encryption>

The following example retrieves the encryption information for an object named paris.jpg encrypted by a customer-supplied encryption key.

Request

GET /paris.jpg?encryption HTTP/1.1
Host: travel-maps.storage.googleapis.com
Content-Length: 0
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

Response

HTTP/1.1 200 OK
Content-Length: 220
Content-Type: application/xml; charset=UTF-8
Date: Tue, 01 Nov 2016 17:12:32 GMT

<?xml version="1.0" encoding="UTF-8"?>
<Encryption>
  <CustomerEncryption>
    <EncryptionAlgorithm>AES256</EncryptionAlgorithm>
    <KeySha256>Vb/C17P2fk35hguiD/pdLoXJk2j2NlmWmUmnOPsLtfA=</KeySha256>
  </CustomerEncryption>
</Encryption>

The following example retrieves the encryption information for an object named london.jpg not encrypted by a customer-supplied encryption key.

Request

GET /london.jpg?encryption HTTP/1.1
Host: travel-maps.storage.googleapis.com
Content-Length: 0
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

Response

HTTP/1.1 200 OK
Content-Length: 51
Content-Type: application/xml; charset=UTF-8
Date: Tue, 01 Nov 2016 20:35:29 GMT

<?xml version="1.0" encoding="UTF-8"?>
<Encryption/>