Encrypting Data in OBS

Overview

After server-side encryption is enabled, data of an object uploaded to Object Storage Service (OBS) is encrypted on the server before being stored. When the object is downloaded, data is decrypted on the server first.

KMS uses a third-party hardware security module (HSM) to protect keys, enabling you to create and manage encryption keys easily. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. With KMS, all operations on keys are controlled and logged, and usage records of all keys can be provided to meet regulatory compliance requirements.

Server-side encryption with KMS-managed keys (SSE-KMS) can be implemented for the objects to be uploaded. You need to create a key using KMS or use the default key provided by KMS. Then you can use the key to encrypt the object on the server when uploading the object to OBS.

Uploading Files in Server-side Encryption Mode (on the Console)

In the bucket list on the OBS console, click a bucket to go to the Overview page.
In the navigation tree on the left, choose Objects.
Click Upload Object. The Upload Object dialog box is displayed.
Click Add File, select the file to be uploaded, and click Open.
Set Server-Side Encryption to SSE-KMS, select the default key or a custom key, and click Upload.

Figure 1 Encrypting an object to be uploaded

Key name: Name of the custom key. The key is created in DEW and is used for encrypted protection for data. OBS provides a default key obs/default. You can use the default key or create a key in DEW.
After uploading the object, click it to view its encryption status.
- The object encryption status cannot be changed.
- A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.