Help Center/ Data Encryption Workshop/ Getting Started/ Performing OBS Server-Side Encryption with KMS Managed Keys
None

Performing OBS Server-Side Encryption with KMS Managed Keys

  • Data encryption Workshop (DEW) is a full-stack data encryption service in the cloud. The Key Management Service (KMS) provided by DEW is a secure, reliable, and easy-to-use cloud service that can help you manage and protect keys in a centralized manner.

  • With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server.

Step 1: Set the Environment.

1. Log in to the management console. Click Service List on the top navigation bar, and choose Storage Object Storage Service.
2. Click Create Bucket to create a bucket for storing uploaded files.

1

Selecting Object Storage Service (OBS)

Apply for a VPC.

2

Creating a bucket on OBS

Apply for an ECS.

View Image

Step 2: Create a key.

1. On the homepage of the management console, choose Security & Compliance > Data Encryption Service. The KMS page is displayed.
2. Above the list of keys, click Create Key in the upper right corner.
3. In the Create Key dialog box, enter an alias and description for the key, and click OK

Note

You can also import your keys to KMS for centralized management. Click here to learn how.

1

Selecting Data Encryption Workshop (DEW)

Select the charging mode.

2

Creating a key

Download and install a client.

3

Entering an alias and description

Access the cache instance.

View Image

Step 3: Upload a file to an OBS bucket.

1. On the console page of HUAWEI CLOUD, click Service List on the top navigation bar, and choose Storage Object Storage Service . Click the target bucket to go to the Summary page of the bucket. 
2. In the navigation pane on the left, click Objects . The object list is displayed. Then click Upload File on top of the object list. 
3. Select the file that you want to upload. Choose SSE-KMS for encryption, specify an encryption key type, and click Upload.

Note

1. To perform OBS server-side encryption, you can use the default keys generated by KMS or the custom keys created by yourself. 
2. To understand differences between a default Key and a custom key, click here.

1

Bucket details

Obtain the instance's connection address.

2

Selecting a file to be uploaded

Download and install a client.

3

Configuring KMS encryption

Access the cache instance.

View Image

Step 4: Manage the lifecycle keys.

1. You can easily enable, disable, delete, and cancel the deletion of one or more keys. 
2. You can add tags to keys by department or user role. Example: Department: O&M

3. You can enable rotation for a custom key. KMS will automatically generate a new version of the key.
4. You can authorize other users to use your customer master keys (CMKs).

1

Full lifecycle management

Obtain the instance's connection address.

2

Adding tags

Download and install a client.

3

Rotating a key

Obtain the instance's connection address.

4

Creating a grant

Obtain the instance's connection address.

View Image