SSE-OBS

Billing

You are not billed for using SSE-OBS. However, requests for configuring SSE-OBS for buckets or objects will incur costs.

Important Notes

The ETag value of an encrypted object is the MD5 value of the ciphertext, rather than that of the plaintext.

Constraints

SSE-OBS only supports the AES-256 algorithm.

How SSE-OBS Works

Figure 1 SSE-OBS encryption process

Figure 1 shows how SSE-OBS works with envelope encryption:

1. OBS derives the plaintext DEK from the system root key, and then encrypts the plaintext DEK to obtain the ciphertext DEK.
2. OBS uses the plaintext DEK to encrypt data and then promptly deletes the plaintext DEK from memory.
3. OBS stores the ciphertext DEK as metadata along with the ciphertext object.

Figure 2 SSE-OBS decryption process

Figure 2 shows how SSE-OBS decryption works:

1. When an object is downloaded, OBS initiates a request for decrypting the ciphertext DEK.
2. OBS decrypts the ciphertext DEK and returns the plaintext DEK.
3. OBS uses the plaintext DEK to decrypt the ciphertext object, obtains the plaintext object, and then promptly deletes the plaintext DEK from memory.

Permissions Configuration

• To set a bucket's encryption method to SSE-OBS, you must be the bucket owner or have the required permissions (obs:bucket:PutEncryptionConfiguration and obs:bucket:GetEncryptionConfiguration in IAM or PutEncryptionConfiguration and GetEncryptionConfiguration in a bucket policy). For details, see OBS Permissions Control Overview, IAM Custom Policies, and Creating a Custom Bucket Policy.
• To use SSE-OBS to encrypt the object you are uploading, you must have the upload permission (obs:object:PutObject in IAM or PutObject in a bucket policy).
• To download objects encrypted using SSE-OBS, you must have the download permission (obs:object:GetObject in IAM or GetObject in a bucket policy).
• You can configure a bucket policy to enforce a specific server-side encryption method for objects uploaded to that bucket. For example, to deny any object upload requests that do not include the x-obs-server-side-encryption:"AES256" header for SSE-OBS, you can configure a bucket policy as follows:

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

  { "Statement": [ { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "PutObject", "Resource": "YourBucket/*", "Condition": { "StringNotEquals": { "x-obs-server-side-encryption": "AES256" } } } ] }

Configuring SSE-OBS for a Bucket

You can use OBS Console, APIs, or SDKs to configure SSE-OBS for a bucket.

Configuring SSE-OBS for an Object

You can use OBS Console, APIs, or SDKs to configure SSE-OBS for an object.

References

By copying an existing object to itself, you can apply encryption or change its encryption method. For details, see Changing the Encryption Status of an Existing Object.