Help Center/ Object Storage Service/ Console Operation Guide/ Data Security/ Configuring Server-Side Encryption/ Enabling Server-Side Encryption When Uploading an Object
Updated on 2025-07-31 GMT+08:00
View PDF

Enabling Server-Side Encryption When Uploading an Object

OBS allows you to encrypt objects with server-side encryption so that the objects can be securely stored in OBS.

When you upload an object to a bucket with server-side encryption disabled, you can separately configure server-side encryption for the object. If the bucket has server-side encryption enabled, the object you upload inherits encryption from the bucket by default. You can also configure new encryption for the object.

Constraints

  • The object encryption status cannot be changed.
  • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
  • If an object is server-side encrypted and does not have any IAM agency, other accounts and users cannot access the object even if they can read this object.

Prerequisites

In the region where OBS is deployed, the KMS Administrator permission has been added to the user group. For details about how to add the permission, see Assigning Permissions to an IAM User. If the current account or user is the grantee, it also requires the KMS Administrator permission.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate to go to the Objects page.
  3. Click Upload Object. The Upload Object dialog box is displayed.
  4. Add the files to be uploaded.
  5. Enable Inherit from bucket if your bucket has server-side encryption enabled and the objects to be uploaded need to inherit the encryption configuration of the bucket.

    Figure 1 Inherit from bucket

    If your bucket has server-side encryption disabled or it has server-side encryption enabled but you need a different encryption configuration for its objects, you can select SSE-KMS or SSE-OBS based on service requirements. If SSE-KMS is selected, you need to select an encryption key type.

    • If Default is selected, the default key of the current region will be used to encrypt your objects. If there is no such a default key, OBS creates one the first time you upload an object.
    • If Custom is used, you can click View KMS Keys to switch to the KMS console to create a custom key. Then go back to OBS Console and select the key from the drop-down list.
    Figure 2 Configuring encryption for an object in a bucket with server-side encryption disabled
    Figure 3 Configuring encryption for an object in a bucket with server-side encryption enabled

  6. Click Upload.

    After the object is uploaded, you can view its encryption status on its details page.