scaleway · SamyOubouaziz · Mar 3, 2026 · Feb 3, 2026 · Feb 16, 2026 · Feb 24, 2026
@@ -0,0 +1,13 @@
+---
+title: sse-one-introduction
+---
+
+**S**erver-**S**ide **E**ncryption with **O**bject **N**ative **E**ncryption (SSE-ONE) is an encryption method provided by Scaleway Object Storage to protect your data at rest. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with Scaleway managing encryption keys (AES-256).
+
+By default, SSE-ONE is applied per-upload, meaning that you must specify the encryption parameter for each `PutObject` operation. However, you can enable SSE-ONE on a bucket, so that each object uploaded is automatically encrypted at rest with an individual encryption key. Scaleway manages the creation, lifecycle, and deletion of encryption keys.
+
+Scaleway SSE-ONE behaves similarly to Server Side Encryption with Amazon S3 managed keys (SSE-S3).
+
+<Message type="note">
+Scaleway also supports SSE-C. Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information.
+</Message>
@@ -1,5 +1,5 @@
 ---
-title: Enabling server-side encryption (SSE-C)
+title: Enabling server-side encryption with customer-provided keys (SSE-C)
 description: Enable server-side encryption with customer-provided keys (SSE-C) in Scaleway.
 tags: object storage server side encryption sse sse-c cli s3
 dates:
@@ -12,7 +12,7 @@ import Requirements from '@macros/iam/requirements.mdx'
 **S**erver-**S**ide **E**ncryption with **C**ustomer-provided keys (SSE-C) is an encryption method provided by Scaleway Object Storage to protect your data at rest. It allows you to supply your own encryption keys to encrypt data when it is uploaded, and to decrypt data when accessed.
 
 <Message type="note">
-Currently, Scaleway does not support other types of server-side encryption methods, such as SSE-KMS, or SSE-S3.
+Scaleway also supports SSE-SCW. Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-scw/) for more information.
 </Message>
 
 ## SSE-C overview

@@ -0,0 +1,92 @@
+---
+title: Enabling server-side encryption with object native encryption (SSE-ONE)
+description: Enable server-side encryption with object native encryption (SSE-ONE) for Scaleway Object Storage.
+tags: object storage server side encryption sse one cli scaleway managed keys
+dates:
+  validation: 2026-02-03
+  posted: 2026-02-03
+---
+import Requirements from '@macros/iam/requirements.mdx'
+import SseOneIntroduction from '@macros/object-storage/sse-one-introduction.mdx'
+
+This page explains how to use SSE-ONE with the AWS CLI. To use it with the Scaleway console, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-one/).
+
+<SseOneIntroduction />
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/)
+- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/)
+
+## Enabling SSE-ONE on a bucket
+
+Objects uploaded **after** enabling SSE-ONE are automatically encrypted. However, objects existing in the bucket before enabling SSE-ONE will not be encrypted, as encryption occurs during object upload.
+
+1. In a terminal, run the command below to enable SSE-ONE on the target bucket. Make sure to replace `<your-bucket-name>` with the correct value. 
+
+    ```bash
+    aws s3api put-bucket-encryption \
+    --bucket <your-bucket-name> \
+    --server-side-encryption-configuration '{
+        "Rules": [
+            {
+                "ApplyServerSideEncryptionByDefault": {
+                    "SSEAlgorithm": "AES256"
+                }
+            }
+        ]
+      }'
+    ```
+
+2. Run the command below to ensure the encryption was properly applied. Do not forget to replace `<your-bucket-name>` with the correct value.
+
+    ```bash
+    aws s3api get-bucket-encryption --bucket <your-bucket-name>
+    ```
+
+    An output similar to the following displays:
+
+    ```json
+    {
+      "ServerSideEncryptionConfiguration": {
+        "Rules": [
+          {
+            "ApplyServerSideEncryptionByDefault": {
+              "SSEAlgorithm": "AES256"
+            },
+            "BucketKeyEnabled": false
+          }
+        ]
+      }
+    }
+    ```
+
+SSE-ONE is enabled on your bucket. Each object uploaded from now on will be automatically encrypted using AES-256 keys managed by Scaleway.
+
+## Disabling SSE-ONE on a bucket
+
+Objects uploaded **after** disabling SSE-ONE will not be automatically encrypted. However, objects existing in the bucket before disabling SSE-ONE will remain encrypted, as encryption occurs during object upload.
+
+1. Run the command below in a terminal to disable SSE-ONE on the target bucket. Make sure to replace `<your-bucket-name>` with the correct value. 
+
+    ```bash
+    aws s3api delete-bucket-encryption --bucket <your-bucket-name>
+    ```
+
+2. Run the following command to ensure the encryption was properly disabled. Do not forget to replace `<your-bucket-name>` with the correct value.
+
+    ```bash
+    aws s3api get-bucket-encryption --bucket <your-bucket-name>
+    ```
+
+    An output similar to the following displays:
+
+    ```json
+    {
+      "ServerSideEncryptionConfiguration": {}
+    }
+    ```
+
+SSE-ONE is now disabled, and can be [enabled again](#enabling-sse-one-on-a-bucket) at any time.
@@ -0,0 +1,58 @@
+---
+title: Enabling server-side encryption with object native encryption (SSE-ONE)
+description: Enable server-side encryption with object native encryption (SSE-ONE) for Object Storage using the Scaleway console.
+tags: object storage server side encryption sse one cli scaleway managed keys
+dates:
+  validation: 2026-02-24
+  posted: 2026-02-24
+---
+import Requirements from '@macros/iam/requirements.mdx'
+import SseOneIntroduction from '@macros/object-storage/sse-one-introduction.mdx'
+
+This page explains how to use SSE-ONE with the Scaleway Console. To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-one/).
+
+<SseOneIntroduction />
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional)
+
+## How to enable SSE-ONE during bucket creation
+
+When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE using the toggle under **Bucket encryption**.
+
+Objects pushed to this bucket will be automatically encrypted at rest with keys managed by Scaleway.
+
+## How to enable SSE-ONE on an existing bucket
+
+1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.
+
+2. Click the name of the desired bucket. The **Overview** tab displays.
+
+3. Select the **Settings** tab.
+
+4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.
+
+5. Click the toggle to enable SSE-ONE, then click **Edit** to confirm.
+
+New objects uploaded to this bucket will be automatically encrypted at rest with keys managed by Scaleway.
+
+<Message type="important">
+Objects uploaded to this bucket before enabling SSE-ONE will not be encrypted.
+</Message>
+
+## How to disable SSE-ONE on an existing bucket
+
+1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.
+
+2. Click the name of the desired bucket. The **Overview** tab displays.
+
+3. Select the **Settings** tab.
+
+4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.
+
+5. Click the toggle to disable SSE-ONE, then click **Edit** to confirm.
+
+New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-ONE was enabled will remain encrypted.
@@ -58,6 +58,10 @@ export const objectStorageMenu = {
           label: 'Manage lifecycle rules',
           slug: 'manage-lifecycle-rules',
         },
+        {
+          label: 'Enable SSE-ONE',
+          slug: 'enable-sse-one',
+        },
         {
           label: 'Host healthcare data (HDS)',
           slug: 'host-healthcare-data',
@@ -141,6 +145,10 @@ export const objectStorageMenu = {
           label: 'Enabling SSE-C',
           slug: 'enable-sse-c',
         },
+        {
+          label: 'Enabling SSE-ONE',
+          slug: 'enable-sse-one',
+        },
         {
           label: 'Setting CORS rules',
           slug: 'setting-cors-rules',