Server-Side Encryption (SDK for Python)
Function
This API configures server-side encryption for objects, so that they will be encrypted or decrypted when you upload them to or download them from a bucket.
The encryption and decryption happen on the server side.
There are different encryption methods for you to choose from. Available encryption methods include server-side encryption with KMS-managed keys (SSE-KMS) and server-side encryption with customer-provided keys (SSE-C). Both of the two methods use the AES-256 algorithm.
With SSE-KMS, OBS uses the keys provided by KMS for server-side encryption.
With SSE-C, OBS uses the keys and MD5 values provided by customers for server-side encryption.
When server-side encryption is used, the returned ETag value is not the object's MD5 value. OBS will verify the object's MD5 value as long as the upload request includes the Content-MD5 header, no matter whether server-side encryption is used or not.
For more information, see Server-Side Encryption.
Restrictions
- To upload an object, you must be the bucket owner or have the required permission (obs:object:PutObject in IAM or PutObject in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Configuring an Object Policy.
Method
ObsClient.putFile(bucketName, objectKey, file_path, metadata, headers)
Supported APIs
The following table lists APIs related to server-side encryption:
Method in OBS SDK for Python |
Description |
Supported Encryption Method |
---|---|---|
ObsClient.putContent |
Sets the encryption algorithm and key during object upload to enable server-side encryption. |
SSE-KMS SSE-C |
ObsClient.putFile |
Sets the encryption algorithm and key during file upload to enable server-side encryption. |
SSE-KMS SSE-C |
ObsClient.getObject |
Sets the decryption algorithm and key during object download to decrypt the object. |
SSE-C |
ObsClient.copyObject |
|
SSE-KMS SSE-C |
ObsClient.getObjectMetadata |
Sets the decryption algorithm and key when obtaining the object metadata to decrypt the object. |
SSE-C |
ObsClient.initiateMultipartUpload |
Sets the encryption algorithm and key when initializing a multipart upload task to enable server-side encryption for the final object generated. |
SSE-KMS SSE-C |
ObsClient.uploadPart |
Sets the encryption algorithm and key during multipart upload to enable server-side encryption for parts. |
SSE-C |
ObsClient.copyPart |
|
SSE-C |
Responses
Type |
Description |
---|---|
Explanation: SDK common results |
Parameter |
Type |
Description |
---|---|---|
status |
int |
Explanation: HTTP status code Value range: A status code is a group of digits ranging from 2xx (indicating successes) to 4xx or 5xx (indicating errors). It indicates the status of a response. For more information, see Status Code. Default value: None |
reason |
str |
Explanation: Reason description. Default value: None |
errorCode |
str |
Explanation: Error code returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None |
errorMessage |
str |
Explanation: Error message returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None |
requestId |
str |
Explanation: Request ID returned by the OBS server Default value: None |
indicator |
str |
Explanation: Error indicator returned by the OBS server. Default value: None |
hostId |
str |
Explanation: Requested server ID. If the value of status is less than 300, this parameter is left blank. Default value: None |
resource |
str |
Explanation: Error source (a bucket or an object). If the value of status is less than 300, this parameter is left blank. Default value: None |
header |
list |
Explanation: Response header list, composed of tuples. Each tuple consists of two elements, respectively corresponding to the key and value of a response header. Default value: None |
body |
object |
Explanation: Result content returned after the operation is successful. If the value of status is larger than 300, this parameter is left blank. The value varies with the API being called. For details, see Bucket-Related APIs (SDK for Python) and Object-Related APIs (SDK for Python). Default value: None |
Code Examples
This example uploads and downloads an encrypted file using SSE-KMS.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
from obs import ObsClient from obs import PutObjectHeader, GetObjectHeader from obs import SseKmsHeader import os import traceback # Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage. # Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html. ak = os.getenv("AccessKeyID") sk = os.getenv("SecretAccessKey") # (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables. security_token = os.getenv("SecurityToken") # Set server to the endpoint corresponding to the bucket. Here uses EU-Dublin as an example. Replace it with the one in use. server = "https://obs.eu-west-101.myhuaweicloud.eu" # Create an obsClient instance. # If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance. obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server) try: put_headers = PutObjectHeader() # Specify the SSE-KMS encryption header for the object upload request. put_headers.sseHeader = SseKmsHeader.getInstance() bucketName = "examplebucket" # Specify an object name (the name displayed after the file is uploaded to the bucket). objectKey = "objectname" # Specify the full path of the file or folder to be uploaded, for example, aa/bb.txt or aa/. file_path = 'localfile' # Upload the object. resp = obsClient.putFile(bucketName, objectKey, file_path, headers=put_headers) # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails. if resp.status < 300: print('Put File Succeeded') print('requestId:', resp.requestId) else: print('Put File Failed') print('requestId:', resp.requestId) print('errorCode:', resp.errorCode) print('errorMessage:', resp.errorMessage) # --------------------------------------------------------------------------------------------------------------------- get_headers = GetObjectHeader() # Specify the SSE-KMS decryption header for the object download request. get_headers.sseHeader = SseKmsHeader.getInstance() bucketName = "examplebucket" objectKey = "objectname" # Specify the full path (localfile as an example) to which objects are downloaded. The full path contains the local file name. downloadPath = 'localfile' # Download the object. resp2 = obsClient.getObject(bucketName, objectKey, downloadPath, headers=get_headers) # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails. if resp2.status < 300: print('Get Object Succeeded') print('requestId:', resp2.requestId) else: print('Get Object Failed') print('requestId:', resp2.requestId) print('errorCode:', resp2.errorCode) print('errorMessage:', resp2.errorMessage) except: print(traceback.format_exc()) |
This example uploads and downloads an encrypted file using SSE-C.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
from obs import ObsClient from obs import PutObjectHeader, GetObjectHeader from obs import SseCHeader import os import traceback # Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage. # Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html. ak = os.getenv("AccessKeyID") sk = os.getenv("SecretAccessKey") # (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables. security_token = os.getenv("SecurityToken") # Set server to the endpoint corresponding to the bucket. Here uses EU-Dublin as an example. Replace it with the one in use. server = "https://obs.eu-west-101.myhuaweicloud.eu" # Create an obsClient instance. # If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance. obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server) try: put_headers = PutObjectHeader() # Specify the SSE-C encryption header for the object upload request. encryption indicates the encryption method and key indicates the SSE-C key generated by the AES 256 algorithm. put_headers.sseHeader = SseCHeader(encryption='AES256', key='your sse-c key generated by AES-256 algorithm') bucketName = "examplebucket" # Specify an object name (the name displayed after the file is uploaded to the bucket). objectKey = "objectname" # Specify the full path of the file or folder to be uploaded, for example, aa/bb.txt or aa/. file_path = 'localfile' # Upload the object. resp = obsClient.putFile(bucketName, objectKey, file_path, headers=put_headers) # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails. if resp.status < 300: print('Put File Succeeded') print('requestId:', resp.requestId) else: print('Put File Failed') print('requestId:', resp.requestId) print('errorCode:', resp.errorCode) print('errorMessage:', resp.errorMessage) # --------------------------------------------------------------------------------------------------------------------- get_headers = GetObjectHeader() # Specify the SSE-C decryption header for an object download request. The key used here must be the one used for uploading the object. get_headers.sseHeader = SseCHeader(encryption='AES256', key='your sse-c key generated by AES-256 algorithm') bucketName = "examplebucket" objectKey = "objectname" # Specify the full path (localfile as an example) to which objects are downloaded. The full path contains the local file name. downloadPath = 'localfile' # Download the object. resp2 = obsClient.getObject(bucketName, objectKey, downloadPath, headers=get_headers) # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails. if resp2.status < 300: print('Get Object Succeeded') print('requestId:', resp2.requestId) else: print('Get Object Failed') print('requestId:', resp2.requestId) print('errorCode:', resp2.errorCode) print('errorMessage:', resp2.errorMessage) except: print(traceback.format_exc()) |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.