- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Key Management Service
- Cloud Secret Management Service
- Key Pair Service
- Dedicated HSM
- Auditing Logs
- Permission Control
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
- API Overview
- APIs
- Application Examples
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
KMS Related
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key Algorithms Supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- CSMS Related
-
KPS Related
- How Do I Create a Key Pair?
- What Are a Private Key Pair and an Account Key Pair?
- How Do I Handle an Import Failure of a Key Pair Created Using PuTTYgen?
- What Should I Do When I Fail to Import a Key Pair Using Internet Explorer 9?
- How Do I Log In to a Linux ECS with a Private Key?
- How Do I Use a Private Key to Obtain the Password to Log In to a Windows ECS?
- How Do I Handle the Failure in Binding a Key Pair?
- How Do I Handle the Failure in Replacing a Key Pair?
- How Do I Handle the Failure in Resetting a Key Pair?
- How Do I Handle the Failure in Unbinding a Key Pair?
- Do I Need to Restart Servers After Replacing Its Key Pair?
- How Do I Enable the Password Login Mode for an ECS?
- How Do I Handle the Failure in Logging In to ECS After Unbinding the Key Pair?
- What Should I Do If My Private Key Is Lost?
- How Do I Convert the Format of a Private Key File?
- Can I Change the Key Pair of a Server?
- Can a Key Pair Be Shared by Multiple Users?
- How Do I Obtain the Public or Private Key File of a Key Pair?
-
Dedicated HSM Related
- What Is Dedicated HSM?
- How Does Dedicated HSM Ensure the Security for Key Generation?
- Do Equipment Room Personnel Has the Super Administrator Role to Steal Information by Using a Privileged UKey?
- What HSMs Are Used for Dedicated HSM?
- What APIs Does Dedicated HSM Support?
- How Do I Enable Public Access to a Dedicated HSM Instance?
- Pricing
- General
- Change History
-
KMS Related
- Videos
Encrypting Data in OBS
Overview
After server-side encryption is enabled, data of an object uploaded to Object Storage Service (OBS) is encrypted on the server before being stored. When the object is downloaded, data is decrypted on the server first.
KMS uses a third-party hardware security module (HSM) to protect keys, enabling you to create and manage encryption keys easily. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. With KMS, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.
Server-side encryption with KMS-managed keys (SSE-KMS) can be implemented for the objects to be uploaded. You need to create a key using KMS or use the default key provided by KMS. Then you can use the key to encrypt the object on the server when uploading the object to OBS.
Uploading Files in Server-side Encryption Mode (on the Console)
- In the bucket list on the OBS console, click a bucket to go to the Overview page.
- In the navigation tree on the left, choose Objects.
- Click Upload Object. The Upload Object dialog box is displayed.
- Select the file to be uploaded and click Open.
- Select KMS encryption and a key, as shown in Figure 1. Then click Upload.
Key name: Name of the primary key. The key is created in DEW and is used for encrypted protection for data. OBS provides a default key obs/default. You can use the default key or create a key in DEW.
- After uploading the object, click it to view its encryption status.
NOTE:
- The object encryption status cannot be changed.
- A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
Uploading Files in Server-side Encryption Mode (Through an API)
You can call the required API of OBS to upload a file in SSE-KMS mode. For details, see Object Storage Service API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.