diff --git a/macros/object-storage/sse-kms-introduction.mdx b/macros/object-storage/sse-kms-introduction.mdx
new file mode 100644
index 0000000000..c0b03df2fe
--- /dev/null
+++ b/macros/object-storage/sse-kms-introduction.mdx
@@ -0,0 +1,21 @@
+---
+title: sse-kms-introduction
+---
+
+**S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/).
+
+When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket.
+
+The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK.
+
+Both key types have associated security best practices:
+- [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/)
+- [Secure your DEKs](/key-manager/reference-content/security-recommendations/)
+
+Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).
+
+
+Scaleway also supports:
+ - [Server-Side Encryption with Object Native Encryption (SSE-ONE)](/object-storage/how-to/enable-sse-one/)
+ - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/)
+
\ No newline at end of file
diff --git a/macros/object-storage/sse-one-introduction.mdx b/macros/object-storage/sse-one-introduction.mdx
index 83c88036d0..b045c1f329 100644
--- a/macros/object-storage/sse-one-introduction.mdx
+++ b/macros/object-storage/sse-one-introduction.mdx
@@ -9,5 +9,7 @@ By default, SSE-ONE is applied per-upload, meaning that you must specify the enc
Scaleway SSE-ONE behaves similarly to Server Side Encryption with Amazon S3 managed keys (SSE-S3).
-Scaleway also supports SSE-C. Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information.
+Scaleway also supports:
+ - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/)
+ - [Server-Side Encryption with Key Management Service (SSE-KMS)](/object-storage/how-to/enable-sse-kms/)
\ No newline at end of file
diff --git a/pages/key-manager/faq.mdx b/pages/key-manager/faq.mdx
index dbbb3fe750..7bc4d4a459 100644
--- a/pages/key-manager/faq.mdx
+++ b/pages/key-manager/faq.mdx
@@ -1,5 +1,5 @@
---
-title: Key Manager
+title: Key Manager FAQ
description: Explore Scaleway Key Manager with our comprehensive FAQ covering security, key types, and more.
dates:
validation: 2025-12-19
@@ -18,6 +18,8 @@ Key Manager helps organizations achieve secure key management by handling low-le
Scaleway Key Manager allows you to create, manage, and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys.
+Key Manager is [integrated with Object Storage](/object-storage/how-to/enable-sse-kms/) to store and manage bucket encryption keys.
+
## Offering and availability
### Which cryptographic operations does Key Manager support?
diff --git a/pages/object-storage/api-cli/enable-sse-kms.mdx b/pages/object-storage/api-cli/enable-sse-kms.mdx
new file mode 100644
index 0000000000..61c7a49125
--- /dev/null
+++ b/pages/object-storage/api-cli/enable-sse-kms.mdx
@@ -0,0 +1,82 @@
+---
+title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the AWS CLI
+description: Enable server-side encryption with Key Management Service (SSE-KMS) for Scaleway Object Storage.
+tags: object storage server side encryption sse kms cli scaleway own keys
+dates:
+ validation: 2026-06-04
+ posted: 2026-06-04
+---
+import Requirements from '@macros/iam/requirements.mdx'
+import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx'
+
+This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scaleway console, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-kms/).
+
+
+
+When it comes to setting up your key architecture, the recommended practice is to always set default bucket encryption by enabling a Bucket Key via [PutBucketEncryption](/object-storage/api-cli/bucket-operations/#putbucketencryption). When this is active and you have configured SSE‑KMS, Object Storage automatically creates a Bucket Key that is encrypted with your KMS key (the KEK). The Bucket Key, in turn, encrypts the per‑object data encryption keys (DEKs) that protect the actual object data.
+
+In cases when you have some objects that are stored without SSE‑KMS, you can:
+- Re‑upload an object and [enable SSE‑KMS for that specific object upload](#enabling-sse-kms-for-an-object-upload)
+- Copy an object using the same bucket as the source and the destination and [enable SSE‑KMS for that specific copy operation](#enable-ssekms-for-a-specific-copy-operation)
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/)
+- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/)
+
+## Enabling SSE-KMS for an object upload
+
+In a terminal, run the following command. Remember to replace placeholders with actual values.
+
+ ```bash
+ aws s3api put-object \
+ --bucket \
+ --key \
+ --server-side-encryption aws:kms \
+ --bucket-key-enabled
+ --ssekms-key-id \
+ --body
+ ```
+An output similar to the following displays:
+
+ ```json
+ {
+ "ETag": "\"\"",
+ "ChecksumCRC64NVME": "",
+ "ChecksumType": "FULL_OBJECT",
+ "ServerSideEncryption": "aws:kms",
+ "SSEKMSKeyId": "",
+ "BucketKeyEnabled": true
+ }
+ ```
+
+## Enable SSE‑KMS for a specific copy operation
+
+In a terminal, run the following command. Remember to replace placeholders with actual values.
+
+ ```bash
+ aws s3api copy-object \
+ --copy-source / \
+ --key \
+ --bucket \
+ --server-side-encryption aws:kms \
+ --bucket-key-enabled \
+ --sse-kms-key-id
+ ```
+
+An output similar to the following displays:
+
+ ```json
+ {
+ "ServerSideEncryption": "aws:kms",
+ "SSEKMSKeyId": "",
+ "BucketKeyEnabled": true,
+ "CopyObjectResult": {
+ "ETag": "\"\"",
+ "LastModified": "yyyy-MM-ddTHH:mm:ss.SSSZ",
+ "ChecksumCRC64NVME": ""
+ }
+ }
+ ```
\ No newline at end of file
diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx
index 3d3f33c256..fa150b2b62 100644
--- a/pages/object-storage/how-to/create-a-bucket.mdx
+++ b/pages/object-storage/how-to/create-a-bucket.mdx
@@ -3,7 +3,7 @@ title: How to create a bucket
description: Create a new bucket in Scaleway Object Storage.
tags: object storage bucket object-storage
dates:
- validation: 2025-07-01
+ validation: 2026-06-02
posted: 2021-05-27
---
import Requirements from '@macros/iam/requirements.mdx'
@@ -28,7 +28,7 @@ To get started with Object Storage, you must first create a bucket. Objects are
A private file stored in a public bucket is not publicly accessible.
You can change the bucket visibility at any time from the **Bucket settings** tab.
-6. Optionally, tick **SSE-ONE encryption with Scaleway Object Native Encryption keys** to encrypt your objects with keys managed by Scaleway.
+6. Optionally, tick **Enable bucket encryption** and select an encryption type ([SSE-ONE](/object-storage/how-to/enable-sse-one/) or [SSE-KMS](/object-storage/how-to/enable-sse-kms/)) to encrypt your objects with keys managed by Scaleway (in the case of SSE-ONE) or by your organization via Scaleway's [Key Manager](/key-manager/concepts/) (in the case of SSE-KMS).
7. Optionally, configure [bucket versioning](/object-storage/how-to/use-bucket-versioning/):
- Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs).
- Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled.
diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx
new file mode 100644
index 0000000000..dab902e07f
--- /dev/null
+++ b/pages/object-storage/how-to/enable-sse-kms.mdx
@@ -0,0 +1,95 @@
+---
+title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the Scaleway console
+description: Enable server-side encryption with Key Management Service (SSE-KMS) for Object Storage using the Scaleway console.
+tags: object storage server side encryption kms cli scaleway own keys
+dates:
+ validation: 2026-06-03
+ posted: 2026-06-04
+---
+import Requirements from '@macros/iam/requirements.mdx'
+import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx'
+
+This page explains how to use SSE-KMS with the Scaleway Console. To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-kms/).
+
+
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional)
+
+
+## How to enable SSE-KMS during bucket creation
+
+When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), follow these steps to enable SSE-KMS:
+
+1. Tick the **Enable bucket encryption** box and select the **SSE-KMS** encryption type.
+
+2. Select a KMS key.
+
+ The KMS key that you select here is the key encryption key (KEK) mentioned above.
+
+ You have the following options:
+
+ - **Select an existing key**: Use the drop-down to select a key that you [set up earlier via Key Manager](/key-manager/how-to/create-km-key/).
+ - **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager.
+
+
+ If you choose to create a new KMS key, it is automatically created with the “Protected” status. The key cannot be deleted via the console or the API, preventing accidental removal. The only way to disable key protection is through [Key Manager](/key-manager/).
+
+
+Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.
+
+
+As a best practice, we recommend using a dedicated KMS key for each bucket, rather than sharing a single key across multiple buckets.
+
+
+## How to enable SSE-KMS on an existing bucket
+
+1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.
+
+2. Click the name of the desired bucket. The **Overview** tab displays.
+
+3. Select the **Settings** tab.
+
+4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays.
+
+5. Tick the **Enable bucket encryption** box, then select **SSE-KMS**.
+
+6. Select a KMS key. You have the following options:
+
+ - **Select an existing key**: Use the drop-down to select a key that you [set up via Key Manager](/key-manager/how-to/create-km-key/) earlier.
+ - **Create a new KMS key**: Provide a name for your new key. When you click **Confirm**, a new key is created and available for managing via Key Manager.
+
+ The KMS key that you select here is the key encryption key (KEK) mentioned above.
+
+7. Click **Confirm**.
+
+New objects uploaded to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.
+
+
+Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted.
+
+
+## How to disable SSE-KMS on an existing bucket
+
+1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.
+
+2. Click the name of the desired bucket. The **Overview** tab displays.
+
+3. Select the **Settings** tab.
+
+4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays.
+
+5. Uncheck the **Enable bucket encryption** box.
+
+6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays.
+
+7. Type **DISABLE**, then click **Confirm**.
+
+
+ Once the change is applied, the encryption key (the KEK) will disappear from the bucket view, but objects encrypted with the previous SSE‑KMS configuration still depend on it. The key will remain available in Key Manager, but remember to not remove it. Deleting the key will make all previously encrypted objects inaccessible permanently.
+
+
+New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted.
\ No newline at end of file
diff --git a/pages/object-storage/how-to/enable-sse-one.mdx b/pages/object-storage/how-to/enable-sse-one.mdx
index acd7b33496..cce20df6e4 100644
--- a/pages/object-storage/how-to/enable-sse-one.mdx
+++ b/pages/object-storage/how-to/enable-sse-one.mdx
@@ -3,7 +3,7 @@ title: Enabling server-side encryption with object native encryption (SSE-ONE) u
description: Enable server-side encryption with object native encryption (SSE-ONE) for Object Storage using the Scaleway console.
tags: object storage server side encryption sse one cli scaleway managed keys
dates:
- validation: 2026-02-24
+ validation: 2026-06-02
posted: 2026-02-24
---
import Requirements from '@macros/iam/requirements.mdx'
@@ -21,7 +21,7 @@ This page explains how to use SSE-ONE with the Scaleway Console. To use it with
## How to enable SSE-ONE during bucket creation
-When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE using the toggle under **Bucket encryption**.
+When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE by ticking the **Enable bucket encryption** box and selecting the **SSE-ONE** encryption type.
Objects pushed to this bucket will be automatically encrypted at rest with keys managed by Scaleway.
@@ -35,7 +35,9 @@ Objects pushed to this bucket will be automatically encrypted at rest with keys
4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.
-5. Click the toggle to enable SSE-ONE, then click **Edit** to confirm.
+5. Tick the **Enable bucket encryption** box, then select **SSE-ONE**.
+
+6. Click **Confirm**.
New objects uploaded to this bucket will be automatically encrypted at rest with keys managed by Scaleway.
@@ -53,6 +55,11 @@ Objects uploaded to this bucket before enabling SSE-ONE will not be encrypted.
4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.
-5. Click the toggle to disable SSE-ONE, then click **Edit** to confirm.
+5. Uncheck the **Enable bucket encryption** box.
+
+6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays.
+
+7. Type **DISABLE**, then click **Confirm**.
+
New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-ONE was enabled will remain encrypted.
\ No newline at end of file
diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts
index 013c68524e..ccee16856d 100644
--- a/pages/object-storage/menu.ts
+++ b/pages/object-storage/menu.ts
@@ -62,6 +62,10 @@ export const objectStorageMenu = {
label: 'Enable SSE-ONE',
slug: 'enable-sse-one',
},
+ {
+ label: 'Enable SSE-KMS',
+ slug: 'enable-sse-kms',
+ },
{
label: 'Use object lock',
slug: 'use-object-lock',
@@ -153,6 +157,10 @@ export const objectStorageMenu = {
label: 'Enabling SSE-ONE',
slug: 'enable-sse-one',
},
+ {
+ label: 'Enabling SSE-KMS',
+ slug: 'enable-sse-kms',
+ },
{
label: 'Setting CORS rules',
slug: 'setting-cors-rules',