Updated on 2022-09-15 GMT+08:00

Encrypting Data in OBS

Overview

After server-side encryption is enabled, data of an object uploaded to Object Storage Service (OBS) is encrypted on the server before being stored. When the object is downloaded, data is decrypted on the server first.

KMS uses a third-party hardware security module (HSM) to protect keys, enabling you to create and manage encryption keys easily. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. With KMS, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

Server-side encryption with KMS-managed keys (SSE-KMS) can be implemented for the objects to be uploaded. You need to create a key using KMS or use the default key provided by KMS. Then you can use the key to encrypt the object on the server when uploading the object to OBS.

Uploading Files in Server-side Encryption Mode (on the Console)

  1. In the bucket list on the OBS console, click a bucket to go to the Overview page.
  2. In the navigation tree on the left, choose Objects.
  3. Click Upload Object. The Upload Object dialog box is displayed.
  4. Select the file to be uploaded and click Open.
  5. Select KMS encryption and a key, as shown in Figure 1. Then click Upload.

    Figure 1 Encrypting an object to be uploaded

    Key name: Name of the primary key. The key is created in DEW and is used for encrypted protection for data. OBS provides a default key obs/default. You can use the default key or create a key in DEW.

  6. After uploading the object, click it to view its encryption status.

    • The object encryption status cannot be changed.
    • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.

Uploading Files in Server-side Encryption Mode (Through an API)

You can call the required API of OBS to upload a file in SSE-KMS mode. For details, see Object Storage Service API Reference.