diff --git a/rustfs/src/storage/sse.rs b/rustfs/src/storage/sse.rs
index 870d60952..3215cba26 100644
--- a/rustfs/src/storage/sse.rs
+++ b/rustfs/src/storage/sse.rs
@@ -168,14 +168,11 @@ async fn prepare_sse_configuration(
     }
 
     // Get bucket default encryption configuration.
-    // Only buckets with explicit SSE config return Ok; unconfigured buckets return ConfigNotFound.
     let bucket_sse_config_result = metadata_sys::get_sse_config(bucket).await;
     debug!("bucket_sse_config_result={:?}", bucket_sse_config_result);
 
     if let Ok((bucket_sse_config, _timestamp)) = bucket_sse_config_result {
-        // Use request SSE, or bucket's apply_server_side_encryption_by_default. Do NOT default to
-        // AES256 when neither is set (avoids forcing encryption for buckets without default SSE).
-        let effective_sse_opt = server_side_encryption.clone().or_else(|| {
+        let effective_sse = server_side_encryption.clone().or_else(|| {
             bucket_sse_config.rules.first().and_then(|rule| {
                 debug!("Processing SSE rule: {:?}", rule);
                 rule.apply_server_side_encryption_by_default.as_ref().map(|sse| {
@@ -188,11 +185,10 @@ async fn prepare_sse_configuration(
                 })
             })
         });
-
-        let Some(effective_sse) = effective_sse_opt else {
-            debug!("no request SSE and no bucket default SSE; skip encryption");
+        if effective_sse.is_none() {
             return Ok(None);
-        };
+        }
+
         debug!("effective_sse={:?} (original={:?})", effective_sse, server_side_encryption);
 
         let effective_kms_key_id = ssekms_key_id.or_else(|| {
@@ -204,7 +200,7 @@ async fn prepare_sse_configuration(
         });
 
         Ok(Some(SseConfiguration {
-            effective_sse,
+            effective_sse: effective_sse.unwrap(),
             effective_kms_key_id,
         }))
     } else if let Err(e) = bucket_sse_config_result {