nglange
commented
5 years ago Great question. Yes, it's totally normal. What's happening is that when you send the request to COS to access an object, the system will check to see if you have access to the KP Root Key that is associated with the bucket. If you do, then COS will grab the key and decrypt the data for you.
I am using the API to create buckets with Key Protect encryption. However, when I have items in such a bucket, I do not need the Key Protect key to access it and see it unencrypted. Is this normal? I would expect to need to use the key to decrypt the objects in a bucket. Thanks.