Updated on 2026-01-16 GMT+08:00

Configuring Bucket Encryption

Functions

OBS uses the PUT method to create or update the default server-side encryption for a bucket.

After you configure encryption for a bucket, objects uploaded to this bucket will be encrypted with the bucket encryption settings you specified. Currently, OBS supports server-side encryption with KMS-managed keys (SSE-KMS). For details, see Server-Side Encryption.

To perform this operation, you must have the PutEncryptionConfiguration permission. By default, the bucket owner has this permission and can grant it to others.

Request Syntax (SSE-KMS AES256)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
PUT /?encryption  HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.example.com
Accept: */*
Date: date 
Authorization: authorization string
Content-Length: length

<ServerSideEncryptionConfiguration>
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Request Parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.

Table 1 Configuration elements of bucket encryption

Parameter

Mandatory (Yes/No)

Type

Description

ServerSideEncryptionConfiguration

Yes

Container

Definition:

Root element of the default encryption configuration of a bucket. ServerSideEncryptionConfiguration is the parent node of Rule.

Constraints:

None

Range:

None

Default value:

None

Rule

Yes

Container

Definition:

The child element of the default bucket encryption configuration. Rule is the parent node of ApplyServerSideEncryptionByDefault.

Constraints:

None

Range:

For details, see Rule parameters.

Default value:

None

Table 2 Rule parameter description

Parameter

Mandatory (Yes/No)

Type

Description

ApplyServerSideEncryptionByDefault

Yes

Container

Definition:

Child element of the default encryption configuration of a bucket.

Constraints:

None

Range:

For details, see Table 3.

Default value:

None

Table 3 ApplyServerSideEncryptionByDefault parameters

Parameter

Mandatory (Yes/No)

Type

Description

SSEAlgorithm

Yes

String

Definition:

Server-side encryption algorithm used for the default encryption configuration of a bucket.

Constraints:

None

Range:

  • kms: SSE-KMS encryption and the AES256 algorithm are used.
  • AES256: SSE-OBS encryption and the AES256 algorithm are used.

Default value:

None

KMSMasterKeyID

No

String

Definition:

KMS master key ID used in SSE-KMS encryption.

Constraints:

  • If this parameter is not specified, the default master key will be used.
  • If BucketKeyEnabled is set to true, the value of KMSMasterKeyID is the ID of the master key created on KMS.

Range:

  • regionID:domainID:key/key_id
  • key_id

In the preceding formats:

  • regionID indicates the ID of the region where the key belongs.
  • domainID indicates the ID of the domain to which the key belongs. For details, see Obtaining a Domain ID and a User ID.
  • key_id indicates the ID of the key created in DEW.

Default value:

None

ProjectID

No

String

Definition:

ID of the project where the KMS master key belongs when SSE-KMS is used.

Constraints:

  • If the project is not the default one, you must use this parameter to specify the project ID.
  • If KMSMasterKeyID is not specified, do not set the project ID.
  • If a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects.

Range:

Project ID that matches KMSMasterKeyID, that is, the ID of the project to which the master key with the specified KMSMasterKeyID belongs

Default value:

None

Response Syntax

1
2
3
HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

The response to the request uses common headers. For details, see Table 1.

Response Elements

This response contains no elements.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request (SSE-KMS AES256)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.example.com/doc/2015-06-30/">
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Sample Response (SSE-KMS AES256)

1
2
3
4
5
6
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0