SSE-KMS
Functions
With SSE-KMS, OBS uses the keys provided by Key Management Service (KMS) for server-side encryption. You can create custom keys on KMS to encrypt your objects. If you do not specify a key, OBS creates a default key the first time you upload an object to the bucket. Custom keys or default keys are used to encrypt and decrypt data encryption keys (DEKs).
When a custom KMS key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects.
When the default KMS key in a region is used to encrypt an object, this default key belongs to the object owner. Only the key owner (also the object owner) can upload or download this object.
Newly Added Headers
Two headers are added for SSE-KMS. You can configure the headers listed in Table 1 to enable SSE-KMS.
You can also configure the default encryption for a bucket to encrypt objects you upload to the bucket. After default encryption is enabled for a bucket, any object upload request without encryption header included will inherit the bucket's encryption settings. For details, see Configuring Bucket Encryption.
|
Element |
Description |
|---|---|
|
x-obs-server-side-encryption |
Indicates that SSE-KMS is used for encrypting objects. Type: string Example: x-obs-server-side-encryption:kms |
|
x-obs-server-side-encryption-kms-key-id |
Indicates the master key for encrypting the object when SSE-KMS is used. If this header is not provided, the default master key will be used. If there is no such a default master key, OBS will create one and use it by default. Type: string The following two formats are supported: - regionID:domainID:key/key_id - key_id regionID indicates the ID of the region where the key belongs. domainID indicates the ID of the tenant where the key belongs. key_id indicates the ID of the key created. Examples: |
APIs Where SSE-KMS Headers Apply
You can configure headers about SSE-KMS in the APIs below:
- Uploading Objects - PUT
- Uploading Objects - POST: x-obs-server-side-encryption and x-obs-server-side-encryption-kms-key-id need to be placed in the form instead of headers.
- Copying Objects (The newly added headers apply to object copies.)
- Initiating a Multipart Upload
You can configure a bucket policy to restrict the request headers for a specified bucket. For example, if you require that object upload requests do not contain header x-obs-server-side-encryption:"kms", you can use the following bucket policy:
{
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "PutObject",
"Resource": "YourBucket/*",
"Condition": {
"StringNotEquals": {
"x-obs-server-side-encryption": "kms"
}
}
}
]
}
Sample Request: Using the Default Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 10 11 |
PUT /encryp1 HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu Accept: */* Date: Wed, 06 Jun 2018 09:08:21 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU= x-obs-server-side-encryption:kms Content-Length: 5242 Expect: 100-continue [5242 Byte object contents] |
Sample Response: Using the Default Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC Date: Wed, 06 Jun 2018 09:08:21 GMT Content-Length: 0 |
Sample Request: Using a Custom Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 10 11 12 |
PUT /encryp1 HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu Accept: */* Date: Wed, 06 Jun 2018 09:08:50 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/PWjkXYTYGs5lPOctTNEI2QENU= x-obs-server-side-encryption:kms x-obs-server-side-encryption-kms-key-id: 522d6070-5ad3-4765-43a7-a7d1-ab21f498482d Content-Length: 5242 Expect: 100-continue [5242 Byte object contents] |
Sample Response: Using a Custom Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-43a7-a7d1-ab21f498482d x-obs-id-2: 32AAAUJAIAABAdiAEAABA09AEAABCTv7cHmAn12BAG83ibUsiET5eqlCqg Date: Wed, 06 Jun 2018 09:08:50 GMT Content-Length: 0 |
Sample Request: Using a Key to Encrypt an Object Copy
1 2 3 4 5 6 7 8 9 |
PUT /destobject HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu x-obs-server-side-encryption:kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb Accept: */* Date: Wed, 06 Jun 2018 09:10:29 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI= x-obs-copy-source: /bucket/srcobject1 |
Sample Response: Using a Key to Encrypt an Object Copy
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB78000001648480AF3900CED7F15155 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS Date: Wed, 06 Jun 2018 09:10:29 GMT Content-Length: 0 |
Sample Request: Uploading an Encrypted Object Using a Signed URL
PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&Expires=1534152518&x-obs-server-side-encryption=kms&Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu Accept: */* Date: Wed, 06 Jun 2018 09:10:29 GMT
Sample Response: Uploading an Encrypted Object Using a Signed URL
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB78000001648480AF3900CED7F15155 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS Date: Wed, 06 Jun 2018 09:10:29 GMT Content-Length: 0 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
