Overview

By configuring encryption for a bucket, you can set a default encryption mode for objects uploaded to the bucket, so that objects can be encrypted upon upload. Currently, it only supports the server-side encryption using keys hosted by KMS (SSE-KMS).

After server-side encryption is enabled, objects are encrypted and stored in cipher text on the server. When downloading the encrypted objects, the encrypted data will be decrypted on the server and displayed in plaintext to users. For more information about server-side encryption and key management, see descriptions about server-side encryption in the OBS API Reference.

The bucket encryption configuration applies only to OBS 3.0 buckets. If you want to encrypt all objects in a bucket that is not encrypted, you must carry server-side encryption headers when uploading objects. In addition, you need to configure the bucket policy to deny object upload requests that contain no encryption information.

If you want to encrypt an object using a method other than the bucket encryption method, you need to carry the server-side encryption header and explicitly specify the encryption method.

How to Configure Encryption for a Bucket

You can use either of the following methods to configure encryption for a bucket:

• Use OBS Console.
• Call the API. For details, see descriptions about configuring bucket encryption in the OBS API Reference.

Bucket encryption poses the following restrictions on objects:

• Objects existing in a bucket before it has been encrypted are not encrypted the same way as the bucket is encrypted.
• After a bucket is encrypted:
  • If no server-side encryption information is carried in an object upload request, the object inherits the bucket's encryption configuration.
  • If server-side encryption information is specified in an object upload request, the object is encrypted using the method specified in the request.

Configuring Default Encryption for a Bucket Instead of Configuring a Bucket Policy for Encryption

If you implement bucket encryption by using the bucket policy to deny requests without encryption headers, it is recommended that you encrypt the bucket by configuring a default encryption for the bucket.

1. Delete the bucket policy statement that rejects upload requests that do not carry the encryption header. (You are advised to back up the bucket policy to be replaced.)
2. Ensure that the encryption configuration of the bucket is correct. Currently, only the server-side encryption (SSE-KMS) using keys hosted by KMS is supported.
3. After objects are uploaded, download them, and check whether the encryption configuration of the bucket takes effect.

After a default encrytion is configured for a bucket, objects uploaded without specifying encryption headers in the request will inherit the encryption configuration of the bucket.

Applying Bucket Encryption to Cross-Region Replication

If a default encryption is configured for the destination bucket, the following restrictions are posed to objects:

• If the source bucket is not encrypted, object copies in the destination bucket will inherit the encryption configuration of the destination bucket. As a result, the ETag of the source object is different from that of the copy object. You must update applications that use ETag to handle this issue.

• If the source bucket is encrypted in the SSE-KMS mode, copy objects in the destination bucket are encrypted the same way as the source bucket is encrypted. The encryption configuration of the destination bucket is not applicable.