Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Server-Side Encryption/ Configuring Bucket Encryption

Updated on 2026-04-16 GMT+08:00

Configuring Bucket Encryption

Functions

OBS allows you to create or update the default server-side encryption configuration for a bucket. Once bucket encryption is configured, objects uploaded to this bucket will be encrypted using the bucket's encryption configuration by default. OBS currently supports server-side encryption with KMS-managed keys (SSE-KMS) or OBS-managed keys (SSE-OBS). For more information about bucket encryption configuration, see Server-Side Encryption.

Constraints

Only one encryption method can be used each time an object is uploaded. The encryption configuration of an uploaded object cannot be changed.
To use SSE-KMS to encrypt a bucket or the objects in it, you must have kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, and kms:dek:crypto permissions granted by using IAM, so that you can upload objects to or download objects from this bucket.
If server-side encryption is disabled for a bucket, the encrypted objects can only be accessed over HTTPS.
A key in use cannot be deleted, or the object encrypted with this key cannot be downloaded.

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure bucket encryption. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutEncryptionConfiguration permission. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putEncryptionConfiguration permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:bucket:putEncryptionConfiguration	Write	bucket *	g:EnterpriseProjectId g:ResourceTag/<tag-key>	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain obs:BucketEncrypted

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:bucket:putEncryptionConfiguration

Write

bucket *

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain
obs:BucketEncrypted

If you use bucket policies for authorization, you need to grant the obs:bucket:PutEncryptionConfiguration permission. For details, see Creating a Custom Bucket Policy.

Request Syntax (SSE-KMS AES256)

     PUT /?encryption  HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */*
Date: date 
Authorization: authorization string
Content-Length: length

<ServerSideEncryptionConfiguration>
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
        <BucketKeyEnabled>true</BucketKeyEnabled>
    </Rule>
</ServerSideEncryptionConfiguration>
 
 
  

Request Syntax (SSE-OBS)

     PUT /?encryption HTTP/1.1 
User-Agent: curl/7.29.0 
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */* 
Date: date  
Authorization: authorization string 
Content-Length: length
 
<ServerSideEncryptionConfiguration> 
    <Rule> 
        <ApplyServerSideEncryptionByDefault> 
            <SSEAlgorithm>AES256</SSEAlgorithm> 
        </ApplyServerSideEncryptionByDefault> 
    </Rule> 
</ServerSideEncryptionConfiguration>
 
 
  

URI Parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.

**Table 1** Configuration elements of bucket encryption
Parameter	Mandatory	Type	Description
ServerSideEncryptionConfiguration	Yes	Container	Definition Root element of the default encryption configuration of a bucket. ServerSideEncryptionConfiguration is the parent node of Rule. Constraints N/A Range N/A Default Value N/A
Rule	Yes	Container	Definition The child element of the default bucket encryption configuration. Rule is the parent node of ApplyServerSideEncryptionByDefault and BucketKeyEnabled. Constraints N/A Range For details, see Rule parameters. Default Value N/A

**Table 2** Rule parameter description
Parameter	Mandatory	Type	Description
ApplyServerSideEncryptionByDefault	Yes	Container	Definition Child element of the default encryption configuration of a bucket. Constraints N/A Range For details, see Table 3. Default Value N/A
BucketKeyEnabled	No	String	Definition Whether to enable the OBS bucket key feature. Constraints This parameter is available only when SSEAlgorithm is set to kms. When configuring a POSIX bucket, set this parameter to true and KMSMasterKeyID is mandatory. Range true: The OBS bucket key feature is enabled. false: The OBS bucket key feature is disabled. Default Value false

**Table 3** ApplyServerSideEncryptionByDefault parameters
Parameter	Mandatory	Type	Description
SSEAlgorithm	Yes	String	Definition Server-side encryption algorithm used for the default encryption configuration of a bucket. Constraints N/A Range kms: SSE-KMS encryption and the AES256 algorithm are used. AES256: SSE-OBS encryption and the AES256 algorithm are used. Default Value N/A
KMSMasterKeyID	No	String	Definition KMS master key ID used in SSE-KMS encryption. Constraints If this parameter is not specified, the default master key will be used. If BucketKeyEnabled is set to true, the value of KMSMasterKeyID is the ID of the master key created on KMS. Range regionID:domainID:key/key_id key_id In the preceding formats: regionID indicates the ID of the region where the key belongs. You can obtain the ID from Regions and Endpoints. domainID indicates the ID of the account to which the key belongs. For details, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. key_id indicates the ID of the key created in DEW. For details about how to obtain the key ID, see Viewing a CMK. Default Value N/A
ProjectID	No	String	Definition ID of the project where the KMS master key belongs when SSE-KMS is used. Constraints If the project is not the default one, you must use this parameter to specify the project ID. If KMSMasterKeyID is not specified, do not set the project ID. If a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects. Range Project ID that matches KMSMasterKeyID, that is, the ID of the project to which the master key with the specified KMSMasterKeyID belongs Default Value N/A

Response Syntax

     HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request (SSE-KMS AES256)

     PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> 
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
        <BucketKeyEnabled>true</BucketKeyEnabled>
    </Rule>
</ServerSideEncryptionConfiguration>
 
 
  

Sample Response (SSE-KMS AES256)

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0
 
 
  

Sample Request (SSE-OBS)

     PUT /?encryption HTTP/1.1 
User-Agent: curl/7.29.0 
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> 
    <Rule> 
        <ApplyServerSideEncryptionByDefault> 
            <SSEAlgorithm>AES256</SSEAlgorithm> 
        </ApplyServerSideEncryptionByDefault> 
    </Rule> 
</ServerSideEncryptionConfiguration>
 
 
  

Sample Response (SSE-OBS)

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0
 
 
  

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Encryption Using SSE-KMS

Encryption Using SSE-OBS

Java

Python