Help Center> Object Storage Service> Console Operation Guide> Configuring Server-Side Encryption> Configuring Bucket Default Encryption
Updated on 2023-04-26 GMT+08:00
View PDF

Configuring Bucket Default Encryption

OBS enables you to configure default encryption for a bucket. After the configuration, objects uploaded to the bucket are automatically encrypted using the specified KMS key, improving data storage security.

You can enable default encryption when creating a bucket (see Creating a Bucket), or enable or disable default encryption after a bucket is created.

OBS encrypts only the objects uploaded after the default encryption is enabled, and does not encrypt those uploaded before. After default encryption is disabled, the encryption status of existing objects keeps unchanged, and you can still manually encrypt objects upon upload.

Enabling Default Encryption for a Bucket

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want. The Objects page is displayed.
  3. In the navigation pane, choose Overview.
  4. In the right Basic Configurations area, click Default Encryption. The Default Encryption dialog box is displayed.
  5. Choose SSE-KMS.

    You can select the default key to encrypt the objects you upload to the bucket. If you do not have a default key, OBS automatically creates one the first time you upload an object. You can also choose a custom key for encryption. If no such key is available, click Create KMS Key to create one on the KMS console.

    Figure 1 Enabling KMS-based encryption for a bucket

  6. Click OK.

Disabling Default Encryption for a Bucket

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want. The Objects page is displayed.
  3. In the navigation pane, choose Overview.
  4. In the right Basic Configurations area, click Default Encryption. The Default Encryption dialog box is displayed.
  5. Select Disable.
  6. Click OK.