Encrypting Data in OBS
Scenario
You can use KMS to encrypt all or certain objects in an OBS bucket. When you use KMS encryption in OBS, KMS envelope encryption ensures data encryption and decryption without transmitting a large amount of data over the network. Envelope encryption ensures the confidentiality of data transmission, the efficiency and convenience of data decryption, and information security during object upload and download.
- Full encryption: Encrypt all objects uploaded to an OBS bucket.
In this case, you only need to encrypt the OBS bucket, as the objects in the bucket inherit the bucket encryption configurations by default. For details, see Enabling Server-Side Encryption When Creating an OBS Bucket or Enabling Encryption for a Created OBS Bucket.
After an OBS bucket is encrypted, Inherit from bucket is enabled by default when you upload objects to the bucket. In this case, the OBS bucket and its objects share the same encryption method. To change the encryption method for the objects, disable Inherit from bucket when you upload the objects, and modify the encryption method. For details, see Uploading Objects to an OBS Bucket.
- Partial encryption: Encrypt only certain objects uploaded to an OBS bucket.
In this case, you do not need to encrypt the OBS bucket. Instead, you can directly upload objects to the OBS bucket and configure the encryption method. For details, see Uploading Objects to an OBS Bucket.

Solution Architecture
The following figures show how objects uploaded to OBS are encrypted and decrypted.
- Encryption principle
Figure 2 Encryption principle
- Decryption principle
Figure 3 Decryption principle
Constraints
A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
Enabling Server-Side Encryption When Creating an OBS Bucket
- Log in to the management console.
- Click
on the left and choose .
- In the navigation pane on the left, choose Buckets. On the displayed page, click Create Bucket in the upper right corner.
- Under Properties, enable Server-Side Encryption, select SSE-KMS for Encryption Metod, and select an encryption key type.
Figure 4 Encrypting data in OBS
OBS uses the encryption key provided by KMS. You can select any of the following keys:
- Default key obs/default. If you do not have a default key, OBS automatically creates one when you upload an object for the first time.
- Custom keys created on KMS. For details, see Creating a Key.
- Keys using the SM4 cryptographic algorithm, which is supported only in CN North-Ulanqab 1.
- Configure other parameters and click Create Now.
Enabling Encryption for a Created OBS Bucket
- Log in to the management console.
- Click
on the left and choose .
- In the navigation pane on the left, choose Buckets. Click the target bucket and access the Objects page.
- In the navigation pane on the left, choose Overview.
- In the Basic Configurations area, click Server-Side Encryption.
- In the displayed dialog box, enable server-side encryption, set Encryption Method to SSE-KMS, and select an encryption key type.
Figure 5 Enabling server-side encryption
OBS uses the encryption key provided by KMS. You can select any of the following keys:
- Default key obs/default. If you do not have a default key, OBS automatically creates one when you upload an object for the first time.
- Custom keys created on KMS. For details, see Creating a Key.
- Keys using the SM4 cryptographic algorithm, which is supported only in CN North-Ulanqab 1.
- Configure other parameters and click OK.
Uploading Objects to an OBS Bucket
- Click the target bucket in the list on the OBS console.
- In the navigation pane on the left, choose Objects.
- Click Upload Object.
- In the displayed dialog box, add files to be uploaded.
- For Server-Side Encryption, select an encryption method, and select a default key or custom key from the drop-down list, as shown in Figure 6.
- After server-side encryption is enabled for the OBS bucket, the encryption configuration is inherited by default when an object is uploaded.
- To modify the encryption configuration, you need to disable Inherit from bucket and select SSE-KMS or SSE-OBS as required.
Figure 7 Uploading an object with server-side encryption enabled (OBS bucket encryption disabled)If OBS bucket encryption is not enabled, you need to enable server-side encryption when uploading objects.
- After uploading the object, click it to view its encryption status.
- The object encryption status cannot be changed.
- A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
Related Operations
Alternatively, you can call OBS APIs to upload a file with server-side encryption using KMS-managed keys (SSE-KMS). For details, see Configuring Bucket Encryption.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot