Updated on 2024-02-22 GMT+08:00

Server-Side Encryption

Scenarios

After server-side encryption is enabled, objects uploaded to OBS will be encrypted and then stored on the server. When objects are downloaded, they will be decrypted on the server first and then returned in plaintext to you.

OBS provides the following server-side encryption methods that adopt the 256-bit Advanced Encryption Standard (AES-256).

  • Server-side encryption with keys hosted by KMS (SSE-KMS)

    With this method, you need to create a key using Key Management Service (KMS) or use the default key provided by KMS. The KMS key is then used for server-side encryption when you upload objects to OBS.

    You can enable SSE-KMS when creating a bucket. Then, all objects uploaded to the bucket can be encrypted. You can also enable SSE-KMS after a bucket is created. After SSE-KMS is enabled, the objects newly uploaded to the bucket will be encrypted.

    OBS encrypts only the objects uploaded after the default encryption function is enabled. The encryption status of existing objects in the bucket remains unchanged. Disabling default encryption does not change the encryption status of existing objects in a bucket. After this function is disabled, you can still manually encrypt objects upon upload.

    You can use OBS Console, APIs, SDKs, or OBS Browser+ to configure SSE-KMS.

  • Server-side encryption with customer-provided keys (SSE-C)

    OBS uses the keys and MD5 values provided by customers for server-side encryption.

    You can use APIs or SDKs to configure SSE-C.

  • Server-side encryption with keys managed by OBS (SSE-OBS)

    OBS uses the keys derived from OBS root keys to protect your data on the server side.

    You can use OBS Console to configure SSE-OBS.

Constraints

  • Only one server-side encryption method can be used each time an object is uploaded.
  • If SSE-KMS is enabled for a bucket or the objects in it, you must have the kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, and kms:dek:crypto permissions granted by using IAM, so that you can upload objects to or download objects from this the bucket.
  1. SSE-KMS is available in the following regions: CN-Hong Kong, AP-Singapore, LA-Mexico City1, LA-Sao Paulo1, CN South-Guangzhou, AF-Johannesburg, AP-Bangkok, CN Southwest-Guiyang1, AP-Jakarta, and TR-Istanbul.
  2. SSE-OBS is supported only in the AP-Bangkok and AP-Jakarta regions.

Background Information

In SSE-KMS mode, KMS uses a hardware security module (HSM) to protect key security, helping you easily create and control encryption keys. Keys are not displayed in plaintext outside HSMs, which prevents key disclosure. All operations performed on keys are controlled using access permissions and logged, meeting regulatory compliance requirements.

Precautions

When server-side encryption is disabled for a bucket, the encrypted objects must be accessed over HTTPS.

How to Use

You can use OBS Console, APIs, SDKs, or OBS Browser+ to configure server-side encryption.

Tool

Reference

OBS Console

Uploading a File in Server-Side Encryption Mode

Configuring Bucket Default Encryption

SDKs

OBS supports software development kits (SDKs) in multiple languages. For details, see the corresponding developer guide on the SDK Overview page.

API

Server-Side Encryption (SSE-KMS)

Server-Side Encryption (SSE-C)

Configuring Bucket Encryption

OBS Browser+

-