Oracle Cloud Improves Object Storage Throughput with Bucket Keys
Oracle Cloud Infrastructure (OCI) has rolled out a significant enhancement for its Object Storage service: SSE-KMS Bucket Keys. This new feature is designed to boost throughput and optimize performance for demanding workloads that rely on customer-managed Vault keys for encryption.

The Performance Problem

High-throughput Object Storage workloads face a real challenge with encryption. Every object access traditionally requires a direct call to the Key Management Service to decrypt data encryption keys. For analytics pipelines, AI/ML training jobs, and other data-intensive operations that handle thousands of objects, this becomes a bottleneck. Each PUT and GET operation introduces latency, and sustained high request rates risk triggering KMS throttling.

This problem intensifies when you’re scaling. A job processing millions of objects needs predictable performance, not KMS delays stalling the pipeline.

How Bucket Keys Work

Bucket Keys solve this by introducing an intermediate layer. Instead of hitting KMS for every object operation, a bucket-scoped encryption key (protected by your customer-managed Vault key) wraps the data encryption keys for all objects in that bucket. The Vault key remains the root of protection, but most operations bypass the KMS call entirely.

The result is cleaner: lower latency on PUT and GET operations, fewer KMS interactions, and the ability to sustain higher object request rates without throttling becoming a constraint.

Who Benefits

Bucket Keys are most valuable for specific workload types:

  • Analytics jobs running parallel READ/WRITE operations across many objects
  • AI/ML pipelines that repeatedly load training data from Object Storage
  • Data platforms scaling to handle millions of objects with consistent performance requirements
  • Workloads where KMS request rates become a bottleneck as request rates climb

If your workload involves checkpoint processing, large batch operations, or continuous data ingestion with customer-managed encryption, Bucket Keys should be on your radar.

Key Advantages

Benefit Impact
Reduced latency Fewer KMS interactions mean faster PUT and GET operations
Higher throughput Workloads can sustain more requests without KMS throttling
No application changes Configured at the bucket level, works with existing code
Security maintained Customer-managed Vault key remains the root of protection
Selective enablement Opt-in feature that activates per bucket

How to Enable Bucket Keys

Bucket Keys are disabled by default, giving you full control over when to activate them. The activation process is straightforward:

First, identify which buckets handle high-throughput workloads and use customer-managed Vault keys. Confirm your Vault key and IAM permissions are in place. Then enable Bucket Keys for those specific buckets.

New objects written after enablement automatically use Bucket Key wrapping. Existing objects retain their previous wrapping method until you explicitly trigger a bucket re-encryption process. The feature also works within Security Zones, maintaining all existing security requirements like private bucket access and customer-managed encryption.

When to Consider It

Bucket Keys aren’t necessary for every workload. Light-to-moderate traffic workloads won’t see meaningful performance gains. However, if you’re building a data platform expected to scale significantly, or if you already face KMS throttling issues with high-volume operations, enabling Bucket Keys should be part of your optimization strategy.

More technical details are available in the Oracle encryption documentation, which covers configuration, monitoring, and best practices for managing encryption via Vault keys.

Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates