Server-Side Encryption

Scenarios

After server-side encryption is enabled, objects uploaded to OBS will be encrypted and then stored on the server. When objects are downloaded, they will be decrypted on the server first and then returned in plaintext to you.

OBS provides the following server-side encryption methods that adopt the 256-bit Advanced Encryption Standard (AES-256).

Server-side encryption with keys hosted by KMS (SSE-KMS)
With this method, you need to create a key using Key Management Service (KMS) or use the default key provided by KMS. The KMS key is then used for server-side encryption when you upload objects to OBS.

You can enable SSE-KMS when creating a bucket. Then, all objects uploaded to the bucket can be encrypted. You can also enable SSE-KMS after a bucket is created. After SSE-KMS is enabled, the objects newly uploaded to the bucket will be encrypted.

OBS encrypts only the objects uploaded after the default encryption function is enabled. The encryption status of existing objects in the bucket remains unchanged. Disabling default encryption does not change the encryption status of existing objects in a bucket. After this function is disabled, you can still manually encrypt objects upon upload.

You can use OBS Console to configure SSE-KMS.

Constraints

Only one server-side encryption method can be used each time an object is uploaded.
If SSE-KMS is enabled for a bucket or the objects in it, you must have the kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, and kms:dek:crypto permissions granted by using IAM, so that you can upload objects to or download objects from this the bucket.

Background Information

In SSE-KMS mode, KMS uses a hardware security module (HSM) to protect key security, helping you easily create and control encryption keys. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. All operations performed on keys are controlled using access permissions and logged, meeting regulatory compliance requirements.