SSE-KMS
Functions
With SSE-KMS, OBS uses the keys provided by Key Management Service (KMS) for server-side encryption. You can create custom keys on KMS to encrypt your objects. If you do not specify a key, OBS creates a default key the first time you upload an object to the bucket. Custom keys or default keys are used to encrypt and decrypt data encryption keys (DEKs).
When a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects.
Newly Added Headers
Two headers are added for SSE-KMS. You can configure the headers listed in Table 1 to enable SSE-KMS.
You can also configure the default encryption for a bucket to encrypt objects you upload to the bucket. After default encryption is enabled for a bucket, any object upload request without encryption header included will inherit the bucket's encryption settings. For details, see Configuring Bucket Encryption.
|
Element |
Description |
|---|---|
|
x-obs-server-side-encryption |
Indicates that SSE-KMS is used for encrypting objects. Type: string Example: x-obs-server-side-encryption:kms |
|
x-obs-server-side-encryption-kms-key-id |
Indicates the master key for encrypting the object when SSE-KMS is used. If this header is not provided, the default master key will be used. If there is no such a default master key, OBS will create one and use it by default. Type: string The following two formats are supported: - regionID:domainID:key/key_id - key_id regionID indicates the ID of the region where the key belongs. domainID indicates the ID of the tenant where the key belongs. key_id indicates the ID of the key created in KMS. Examples: - x-obs-server-side-encryption-kms-key-id:region:domainiddomainiddomainiddoma0001:key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0 - x-obs-server-side-encryption-kms-key-id:4f1cd4de-ab64-4807-920a-47fc42e7f0d0 |
APIs Where SSE-KMS Headers Apply
You can configure headers about SSE-KMS in the APIs below:
- Uploading Objects - PUT
- Uploading Objects - POST: x-obs-server-side-encryption and x-obs-server-side-encryption-kms-key-id need to be placed in the form instead of headers.
- Copying Objects (The newly added headers apply to object copies.)
- Initiating a Multipart Upload
You can configure a bucket policy to restrict the request headers for a specified bucket. For example, if you require that object upload requests do not contain header x-obs-server-side-encryption:"kms", you can use the following bucket policy:
{
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "PutObject",
"Resource": "YourBucket/*",
"Condition": {
"StringNotEquals": {
"x-obs-server-side-encryption": "kms"
}
}
}
]
}
Sample Request: Using the Default Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 10 11 |
PUT /encryp1 HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date: Wed, 06 Jun 2018 09:08:21 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU=
x-obs-server-side-encryption:kms
Content-Length: 5242
Expect: 100-continue
[5242 Byte object contents]
|
Sample Response: Using the Default Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482
ETag: "d8bffdfbab5345d91ac05141789d2477"
x-obs-server-side-encryption: kms
x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC
Date: Wed, 06 Jun 2018 09:08:21 GMT
Content-Length: 0
|
Sample Request: Using a Custom Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 10 11 12 |
PUT /encryp1 HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date: Wed, 06 Jun 2018 09:08:50 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/PWjkXYTYGs5lPOctTNEI2QENU=
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id: 522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
Content-Length: 5242
Expect: 100-continue
[5242 Byte object contents]
|
Sample Response: Using a Custom Key to Encrypt an Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482
ETag: "d8bffdfbab5345d91ac05141789d2477"
x-obs-server-side-encryption: kms
x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
x-obs-id-2: 32AAAUJAIAABAdiAEAABA09AEAABCTv7cHmAn12BAG83ibUsiET5eqlCqg
Date: Wed, 06 Jun 2018 09:08:50 GMT
Content-Length: 0
|
Sample Request: Using a Key to Encrypt an Object Copy
1 2 3 4 5 6 7 8 9 |
PUT /destobject HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
Accept: */*
Date: Wed, 06 Jun 2018 09:10:29 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI=
x-obs-copy-source: /bucket/srcobject1
|
Sample Response: Using a Key to Encrypt an Object Copy
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BB78000001648480AF3900CED7F15155
ETag: "d8bffdfbab5345d91ac05141789d2477"
x-obs-server-side-encryption: kms
x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date: Wed, 06 Jun 2018 09:10:29 GMT
Content-Length: 0
|
Sample Request: Uploading an Encrypted Object Using a Signed URL
PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&Expires=1534152518&x-obs-server-side-encryption=kms&Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.example.com Accept: */* Date: Wed, 06 Jun 2018 09:10:29 GMT
Sample Response: Uploading an Encrypted Object Using a Signed URL
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BB78000001648480AF3900CED7F15155
ETag: "d8bffdfbab5345d91ac05141789d2477"
x-obs-server-side-encryption: kms
x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date: Wed, 06 Jun 2018 09:10:29 GMT
Content-Length: 0
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
