Help Center/ Data Encryption Workshop/ Best Practices/ Key Management Service/ Using KMS to Encrypt and Decrypt Data for Cloud Services/ Encrypting Data in OBS
Updated on 2025-05-22 GMT+08:00
View PDF
Share

Encrypting Data in OBS

Scenario

You can use KMS to encrypt all or certain objects in an OBS bucket. When you use KMS encryption in OBS, KMS envelope encryption ensures data encryption and decryption without transmitting a large amount of data over the network. Envelope encryption ensures the confidentiality of data transmission, the efficiency and convenience of data decryption, and information security during object upload and download.

  • Full encryption: Encrypt all objects uploaded to an OBS bucket.

    In this case, you only need to encrypt the OBS bucket, as the objects in the bucket inherit the bucket encryption configurations by default. For details, see Enabling Server-Side Encryption When Creating an OBS Bucket or Enabling Encryption for a Created OBS Bucket.

    After an OBS bucket is encrypted, Inherit from bucket is enabled by default when you upload objects to the bucket. In this case, the OBS bucket and its objects share the same encryption method. To change the encryption method for the objects, disable Inherit from bucket when you upload the objects, and modify the encryption method. For details, see Uploading Objects to an OBS Bucket.

  • Partial encryption: Encrypt only certain objects uploaded to an OBS bucket.

    In this case, you do not need to encrypt the OBS bucket. Instead, you can directly upload objects to the OBS bucket and configure the encryption method. For details, see Uploading Objects to an OBS Bucket.

Figure 1 OBS encryption

Solution Architecture

The following figures show how objects uploaded to OBS are encrypted and decrypted.

  • Encryption principle
    Figure 2 Encryption principle
    1. Obtain the encryption key.

      Generate a data encryption key (DEK) on KMS to encrypt objects in an OBS bucket.

    2. Upload encrypted data to the OBS bucket.

      The encryption SDKs encrypt the uploaded data plaintext using the obtained DEK and store the encrypted object ciphertext to OBS.

  • Decryption principle
    Figure 3 Decryption principle
    1. Download the objects.

      Download the encrypted object data from OBS.

    2. Decrypt the objects.

      The encrypted objects obtain the corresponding ciphertext DEK using the encryption SDKs, and decrypt the ciphertext DEK using KMS to obtain the decrypted original objects.

Constraints

A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.

Enabling Server-Side Encryption When Creating an OBS Bucket

  1. Log in to the management console.
  2. Click on the left and choose Storage > Object Storage Service.
  3. In the navigation pane on the left, choose Buckets. On the displayed page, click Create Bucket in the upper right corner.
  4. Under Properties, enable Server-Side Encryption, select SSE-KMS for Encryption Metod, and select an encryption key type.

    Figure 4 Encrypting data in OBS

    OBS uses the encryption key provided by KMS. You can select any of the following keys:

    • Default key obs/default. If you do not have a default key, OBS automatically creates one when you upload an object for the first time.
    • Custom keys created on KMS. For details, see Creating a Key.
    • Keys using the SM4 cryptographic algorithm, which is supported only in CN North-Ulanqab 1.

  5. Configure other parameters and click Create Now.

Enabling Encryption for a Created OBS Bucket

  1. Log in to the management console.
  2. Click on the left and choose Storage > Object Storage Service.
  3. In the navigation pane on the left, choose Buckets. Click the target bucket and access the Objects page.
  4. In the navigation pane on the left, choose Overview.
  5. In the Basic Configurations area, click Server-Side Encryption.
  6. In the displayed dialog box, enable server-side encryption, set Encryption Method to SSE-KMS, and select an encryption key type.

    Figure 5 Enabling server-side encryption

    OBS uses the encryption key provided by KMS. You can select any of the following keys:

    • Default key obs/default. If you do not have a default key, OBS automatically creates one when you upload an object for the first time.
    • Custom keys created on KMS. For details, see Creating a Key.
    • Keys using the SM4 cryptographic algorithm, which is supported only in CN North-Ulanqab 1.

  7. Configure other parameters and click OK.

Uploading Objects to an OBS Bucket

  1. Click the target bucket in the list on the OBS console.
  2. In the navigation pane on the left, choose Objects.
  3. Click Upload Object.
  4. In the displayed dialog box, add files to be uploaded.
  5. For Server-Side Encryption, select an encryption method, and select a default key or custom key from the drop-down list, as shown in Figure 6.

    Figure 6 Uploading an object with server-side encryption enabled (OBS bucket encryption enabled)
    • After server-side encryption is enabled for the OBS bucket, the encryption configuration is inherited by default when an object is uploaded.
    • To modify the encryption configuration, you need to disable Inherit from bucket and select SSE-KMS or SSE-OBS as required.
    Figure 7 Uploading an object with server-side encryption enabled (OBS bucket encryption disabled)

    If OBS bucket encryption is not enabled, you need to enable server-side encryption when uploading objects.

  1. After uploading the object, click it to view its encryption status.

    • The object encryption status cannot be changed.
    • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.

Related Operations

Alternatively, you can call OBS APIs to upload a file with server-side encryption using KMS-managed keys (SSE-KMS). For details, see Configuring Bucket Encryption.