Server-Side Encryption
There are three OBS encryption methods: server-side encryption with KMS-managed keys (SSE-KMS), server-side encryption with OBS-managed keys (SSE-OBS), and server-side encryption with customer-provided keys (SSE-C). For more information, see Server-Side Encryption.
Overview of Server-Side Encryption APIs
You can use APIs to configure encryption for existing buckets, as well as obtain and delete encryption configuration of existing buckets. For details, see Configuring Bucket Encryption, Obtaining Bucket Encryption Configuration, and Deleting the Encryption Configuration of a Bucket.
You can also configure encryption in the APIs for creating a bucket, uploading, downloading, and copying an object, as well as uploading an object in a multipart upload. The following table lists these APIs and parameters involved.
|
Type |
Header |
Description |
|||
|---|---|---|---|---|---|
|
Request headers |
x-obs-server-side-encryption |
Specifies the encryption method. |
kms: SSE-KMS is used for encryption. obs: SSE-OBS is used for encryption. |
kms: SSE-KMS is used for encryption. AES256: SSE-OBS and the AES-256 algorithm are used. |
|
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
AES256: The AES-256 algorithm is used. AES-256 can be used for both SSE-KMS and SSE-OBS. SM4: The SM4 algorithm is used. SM4 can only be used for SSE-KMS. |
If this header is not included, the AES-256 algorithm is used. SM4: The SM4 algorithm is used. |
||
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
Key ID |
Key ID |
Key ID |
|
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
Project ID |
- |
- |
|
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
- |
AES256: SSE-C and the AES-256 algorithm are used. |
||
|
x-obs-server-side-encryption-customer-key |
Specifies the plaintext key encoded in Base64 when SSE-C is used. |
- |
The plaintext key encoded in Base64 |
||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the MD5 value of the key when SSE-C is used. |
- |
The Base64-encoded MD5 value of the key |
||
|
x-obs-copy-source-server-side-encryption-customer-algorithm |
Specifies the algorithm for object copies when SSE-C is used. |
- |
- |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key |
Specifies the Base64-encoded key for object copies when SSE-C is used. |
- |
- |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key-MD5 |
Specifies the MD5 value of the key used for object copies when SSE-C is used. |
- |
- |
- |
|
|
Response headers |
x-obs-server-side-encryption |
Specifies the server-side encryption method. |
kms: SSE-KMS is used for encryption. obs: SSE-OBS is used for encryption. |
kms: SSE-KMS is used for encryption. AES256: SSE-OBS and the AES-256 algorithm are used. |
|
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
AES256: The AES-256 algorithm is used. AES-256 can be used for both SSE-KMS and SSE-OBS. SM4: The SM4 algorithm is used. SM4 can only be used for SSE-KMS. |
If this header is not included, the AES-256 algorithm is used. SM4: The SM4 algorithm is used. |
||
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
The key ID is returned only for custom keys. |
The key ID is returned for both default keys and custom keys. |
||
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
The project ID is returned only for custom keys. |
|||
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
- |
AES256: SSE-C and the AES-256 algorithm are used. |
||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the Base64-encoded MD5 value of the key when SSE-C is used. |
- |
The Base64-encoded MD5 value of the key |
||
|
Type |
Header |
Description |
|||||
|---|---|---|---|---|---|---|---|
|
Request headers |
x-obs-server-side-encryption |
Specifies the encryption method. |
kms: SSE-KMS is used for encryption. AES256: SSE-OBS and the AES-256 algorithm are used. |
- |
- |
- |
|
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
AES256: The AES-256 algorithm is used. SM4: The SM4 algorithm is used. |
- |
- |
- |
||
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
Key ID |
- |
- |
- |
||
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
- |
- |
- |
- |
- |
|
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
AES256: SSE-C and the AES-256 algorithm are used. |
- |
||||
|
x-obs-server-side-encryption-customer-key |
Specifies the plaintext key encoded in Base64 when SSE-C is used. |
The plaintext key encoded in Base64 |
- |
||||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the MD5 value of the key when SSE-C is used. |
The Base64-encoded MD5 value of the key |
- |
||||
|
x-obs-copy-source-server-side-encryption-customer-algorithm |
Specifies the algorithm for object copies when SSE-C is used. |
AES256: The target object copy is encrypted using SSE-C and the AES-256 algorithm. |
- |
- |
AES256: The target object copy is encrypted using SSE-C and the AES-256 algorithm. |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key |
Specifies the Base64-encoded key for object copies when SSE-C is used. |
The plaintext key encoded in Base64 |
- |
- |
The plaintext key encoded in Base64 |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key-MD5 |
Specifies the Base64-encoded MD5 value of the key used for object copies when SSE-C is used. |
The Base64-encoded MD5 value of the key |
- |
- |
The Base64-encoded MD5 value of the key |
- |
|
|
Response headers |
x-obs-server-side-encryption |
Specifies the encryption method. |
kms: SSE-KMS is used for encryption. AES256: SSE-OBS and the AES-256 algorithm are used. |
||||
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
If this header is not included, the AES-256 algorithm is used. SM4: The SM4 algorithm is used. |
|||||
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
Key ID |
|||||
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
The project ID is returned only for custom keys. |
|||||
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
AES256: SSE-C and the AES-256 algorithm are used. |
|||||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the Base64-encoded MD5 value of the key when SSE-C is used. |
The Base64-encoded MD5 value of the key |
|||||
|
Type |
Header |
Description |
||
|---|---|---|---|---|
|
Request headers |
x-obs-server-side-encryption |
Specifies the encryption method. |
- |
- |
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
- |
- |
|
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
- |
- |
|
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
- |
- |
|
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
AES256: SSE-C and the AES-256 algorithm are used. |
||
|
x-obs-server-side-encryption-customer-key |
Specifies the plaintext key encoded in Base64 when SSE-C is used. |
The plaintext key encoded in Base64 |
||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the MD5 value of the key when SSE-C is used. |
The Base64-encoded MD5 value of the key |
||
|
x-obs-copy-source-server-side-encryption-customer-algorithm |
Specifies the algorithm for object copies when SSE-C is used. |
- |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key |
Specifies the Base64-encoded key for object copies when SSE-C is used. |
- |
- |
|
|
x-obs-copy-source-server-side-encryption-customer-key-MD5 |
Specifies the Base64-encoded MD5 value of the key used for object copies when SSE-C is used. |
- |
- |
|
|
Response headers |
x-obs-server-side-encryption |
Specifies the encryption method. |
kms: SSE-KMS is used for encryption. AES256: SSE-OBS and the AES-256 algorithm are used. |
|
|
x-obs-server-side-data-encryption |
Specifies the algorithm used for server-side encryption. |
If this header is not included, the AES-256 algorithm is used. SM4: The SM4 algorithm is used. |
||
|
x-obs-server-side-encryption-kms-key-id |
Specifies the ID of the KMS CMK when SSE-KMS is used. |
Key ID |
||
|
x-obs-sse-kms-key-project-id |
Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used. |
- |
- |
|
|
x-obs-server-side-encryption-customer-algorithm |
Specifies the algorithm for SSE-C. |
AES256: SSE-C and the AES-256 algorithm are used. |
||
|
x-obs-server-side-encryption-customer-key-MD5 |
Specifies the Base64-encoded MD5 value of the key when SSE-C is used. |
The Base64-encoded MD5 value of the key |
||
Requirements for Transmission Protocols of Server-Side Encryption APIs
|
Operation |
Transfer Protocol |
|---|---|
|
PutObject |
HTTPS |
|
PostObject |
HTTPS |
|
InitiateMultipartUpload |
HTTPS |
|
HeadObject |
HTTPS |
|
GetObject |
HTTPS |
|
UploadPart |
HTTPS |
|
CompleteMultipartUpload |
HTTP or HTTPS |
|
Operation |
Transfer Protocol |
|---|---|
|
PutObject |
HTTPS |
|
PostObject |
HTTPS |
|
InitiateMultipartUpload |
HTTPS |
|
HeadObject |
HTTP or HTTPS |
|
GetObject |
HTTPS |
|
UploadPart |
HTTPS |
|
CompleteMultipartUpload |
HTTP or HTTPS |
|
Source Object |
Target Object |
Transfer Protocol |
|---|---|---|
|
Non-encrypted object |
Object encrypted using SSE-KMS |
HTTPS |
|
Object encrypted using SSE-KMS |
Object encrypted using SSE-KMS |
HTTPS |
|
Object encrypted using SSE-OBS |
Object encrypted using SSE-KMS |
HTTPS |
|
Object encrypted using SSE-C |
Object encrypted using SSE-KMS |
HTTPS |
|
Non-encrypted object |
Object encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-KMS |
Object encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-OBS |
Object encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-C |
Object encrypted using SSE-C |
HTTPS |
|
Non-encrypted object |
Non-encrypted object |
HTTP or HTTPS |
|
Object encrypted using SSE-KMS |
Non-encrypted object |
HTTP or HTTPS |
|
Object encrypted using SSE-OBS |
Non-encrypted object |
HTTP or HTTPS |
|
Object encrypted using SSE-C |
Non-encrypted object |
HTTP or HTTPS |
|
Non-encrypted object |
Object encrypted using SSE-OBS |
HTTPS |
|
Object encrypted using SSE-KMS |
Object encrypted using SSE-OBS |
HTTPS |
|
Object encrypted using SSE-OBS |
Object encrypted using SSE-OBS |
HTTPS |
|
Object encrypted using SSE-C |
Object encrypted using SSE-OBS |
HTTPS |
|
Source Object |
Target Part |
Transfer Protocol |
|---|---|---|
|
Non-encrypted object |
Part encrypted using SSE-KMS |
HTTP or HTTPS |
|
Object encrypted using SSE-KMS |
Part encrypted using SSE-KMS |
HTTP or HTTPS |
|
Object encrypted using SSE-OBS |
Part encrypted using SSE-KMS |
HTTP or HTTPS |
|
Object encrypted using SSE-C |
Part encrypted using SSE-KMS |
HTTP or HTTPS |
|
Non-encrypted object |
Part encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-KMS |
Part encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-OBS |
Part encrypted using SSE-C |
HTTPS |
|
Object encrypted using SSE-C |
Part encrypted using SSE-C |
HTTPS |
|
Non-encrypted object |
Non-encrypted part |
HTTP or HTTPS |
|
Object encrypted using SSE-KMS |
Non-encrypted part |
HTTP or HTTPS |
|
Object encrypted using SSE-OBS |
Non-encrypted part |
HTTP or HTTPS |
|
Object encrypted using SSE-C |
Non-encrypted part |
HTTP or HTTPS |
|
Non-encrypted object |
Part encrypted using SSE-OBS |
HTTP or HTTPS |
|
Object encrypted using SSE-KMS |
Part encrypted using SSE-OBS |
HTTP or HTTPS |
|
Object encrypted using SSE-OBS |
Part encrypted using SSE-OBS |
HTTP or HTTPS |
|
Object encrypted using SSE-C |
Part encrypted using SSE-OBS |
HTTP or HTTPS |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
