Gets an object's encryption information.
You must have READ permission to get an object's encryption
information.
Query string parameters
| Parameter | Description | Required |
|---|---|---|
encryption |
You can use this parameter to determine the type of encryption used on an object. If the encryption type is customer-managed or customer-supplied, this parameter also provides an identifier for the specific encryption key that was used. | No |
Request headers
Request body elements
This request does not include an XML document in the request body.
Request syntax
The following syntax applies to GET Object requests that use the
encryption query string parameter.
GET /OBJECT_NAME?encryption HTTP/1.1 Host: BUCKET_NAME.storage.googleapis.com Content-Length: 0 Content-Type: TYPE Authorization: AUTHENTICATION_STRING
Response headers
The request can return a variety of response headers depending on the request headers you use, including: Cache-Control, Content-Length, Content-Type, Content-Disposition, ETag, and Last-Modified.
Response body elements
The following response body elements are applicable only if you use the
encryption query string parameter.
| Element | Description |
|---|---|
Encryption |
Container for the object's encryption information. |
KmsKeyName |
Name of the Cloud Key Management Service key resource used to encrypt the object. Available only when the object is encrypted by a customer-managed encryption key. |
CustomerEncryption |
Container for customer-supplied encryption information. Available only when the object is encrypted by a customer-supplied encryption key. |
EncryptionAlgorithm |
The encryption algorithm in use for the customer-supplied encryption key. |
KeySha256 |
An RFC 4648 base64-encoded string of the SHA256 hash for the customer-supplied encryption key. |
Examples
The following example retrieves the encryption information for an object named tokyo.jpg encrypted by a customer-managed encryption key.
Request
GET /tokyo.jpg?encryption HTTP/1.1 Host: travel-maps.storage.googleapis.com Content-Length: 0 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg
Response
HTTP/1.1 200 OK
Content-Length: 164
Content-Type: application/xml; charset=UTF-8
Date: Tue, 01 Nov 2016 17:12:32 GMT
<?xml version="1.0" encoding="UTF-8"?>
<Encryption>
<KmsKeyName>
projects/my-project/locations/us-east1/keyRings/my-keyRing/cryptoKeys/my-key
</KmsKeyName>
</Encryption>
The following example retrieves the encryption information for an object named paris.jpg encrypted by a customer-supplied encryption key.
Request
GET /paris.jpg?encryption HTTP/1.1 Host: travel-maps.storage.googleapis.com Content-Length: 0 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg
Response
HTTP/1.1 200 OK
Content-Length: 220
Content-Type: application/xml; charset=UTF-8
Date: Tue, 01 Nov 2016 17:12:32 GMT
<?xml version="1.0" encoding="UTF-8"?>
<Encryption>
<CustomerEncryption>
<EncryptionAlgorithm>AES256</EncryptionAlgorithm>
<KeySha256>Vb/C17P2fk35hguiD/pdLoXJk2j2NlmWmUmnOPsLtfA=</KeySha256>
</CustomerEncryption>
</Encryption>
The following example retrieves the encryption information for an object named london.jpg not encrypted by a customer-supplied encryption key.
Request
GET /london.jpg?encryption HTTP/1.1 Host: travel-maps.storage.googleapis.com Content-Length: 0 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg
Response
HTTP/1.1 200 OK Content-Length: 51 Content-Type: application/xml; charset=UTF-8 Date: Tue, 01 Nov 2016 20:35:29 GMT <?xml version="1.0" encoding="UTF-8"?> <Encryption/>