Help Center/ Object Storage Service/ Console Operation Guide/ Data Security/ Configuring Server-Side Encryption/ Configuring Bucket Server-Side Encryption
Updated on 2025-07-31 GMT+08:00
View PDF

Configuring Bucket Server-Side Encryption

You can configure server-side encryption for an OBS bucket. Once configured, any objects you upload to the bucket will be encrypted with the specified KMS key by default.

You can enable encryption (by choosing SSE-KMS or SSE-OBS) when creating a bucket (see Creating a Bucket). You can also enable or disable encryption for an existing bucket.

OBS only encrypts the objects uploaded after server-side encryption is enabled for the bucket, and does not encrypt those uploaded before. After server-side encryption is disabled, encryption status of existing objects in the bucket remains unchanged, and you can still encrypt objects when you upload them.

Enabling Server-Side Encryption for a Bucket

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate to go to the Objects page.
  3. In the navigation pane, choose Overview.
  4. In the Basic Configurations area, click Server-Side Encryption. The Server-Side Encryption dialog box is displayed.
  5. Enable Server-Side Encryption. Select SSE-KMS or SSE-OBS.

    If you choose SSE-KMS for encryption, you must specify an encryption key type (Default or Custom). If Default is used, the default key of the current region will be used to encrypt your objects. If there is no such a default key, OBS creates one the first time you upload an object. If Custom is used, you can click View KMS Keys to switch to the KMS console to create a custom key. Then go back to OBS Console and select the key from the drop-down list.

    Figure 1 Choosing SSE-KMS for a bucket

    When SSE-OBS is chosen, the keys created and managed by OBS are used for encryption.

    Figure 2 Choosing SSE-OBS for a bucket

  6. Click OK.

Disabling Server-Side Encryption for a Bucket

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate to go to the Objects page.
  3. In the navigation pane, choose Overview.
  4. In the Basic Configurations area, click Server-Side Encryption. The Server-Side Encryption dialog box is displayed.
  5. Select Disable.
  6. Click OK.