diff --git a/weed/s3api/s3_bucket_encryption.go b/weed/s3api/s3_bucket_encryption.go
index 64a09c139..0d54c2cd5 100644
--- a/weed/s3api/s3_bucket_encryption.go
+++ b/weed/s3api/s3_bucket_encryption.go
@@ -2,6 +2,7 @@ package s3api
 
 import (
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -12,6 +13,9 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 )
 
+// ErrNoEncryptionConfig is returned when a bucket has no encryption configuration
+var ErrNoEncryptionConfig = errors.New("no encryption configuration found")
+
 // ServerSideEncryptionConfiguration represents the bucket encryption configuration
 type ServerSideEncryptionConfiguration struct {
 	XMLName xml.Name                   `xml:"ServerSideEncryptionConfiguration"`
@@ -186,7 +190,7 @@ func (s3a *S3ApiServer) GetBucketEncryptionConfig(bucket string) (*s3_pb.Encrypt
 	config, errCode := s3a.getEncryptionConfiguration(bucket)
 	if errCode != s3err.ErrNone {
 		if errCode == s3err.ErrNoSuchBucketEncryptionConfiguration {
-			return nil, fmt.Errorf("no encryption configuration found")
+			return nil, ErrNoEncryptionConfig
 		}
 		return nil, fmt.Errorf("failed to get encryption configuration")
 	}
diff --git a/weed/s3api/s3api_object_handlers_put.go b/weed/s3api/s3api_object_handlers_put.go
index 09c77ed4a..a4f4d8de8 100644
--- a/weed/s3api/s3api_object_handlers_put.go
+++ b/weed/s3api/s3api_object_handlers_put.go
@@ -384,7 +384,7 @@ func (s3a *S3ApiServer) putToFiler(r *http.Request, uploadUrl string, dataReader
 
 	glog.V(4).Infof("putToFiler: Chunked upload SUCCESS - path=%s, chunks=%d, size=%d",
 		filePath, len(chunkResult.FileChunks), chunkResult.TotalSize)
-	
+
 	// Log chunk details for debugging (verbose only - high frequency)
 	if glog.V(4) {
 		for i, chunk := range chunkResult.FileChunks {
@@ -1139,7 +1139,12 @@ func (s3a *S3ApiServer) applyBucketDefaultEncryption(bucket string, r *http.Requ
 	// Check if bucket has default encryption configured
 	encryptionConfig, err := s3a.GetBucketEncryptionConfig(bucket)
 	if err != nil {
-		// Failed to read encryption config - propagate error to prevent silent encryption bypass
+		// Check if this is just "no encryption configured" vs a real error
+		if errors.Is(err, ErrNoEncryptionConfig) {
+			// No default encryption configured, return original reader
+			return &BucketDefaultEncryptionResult{DataReader: dataReader}, nil
+		}
+		// Real error - propagate to prevent silent encryption bypass
 		return nil, fmt.Errorf("failed to read bucket encryption config: %v", err)
 	}
 	if encryptionConfig == nil {