SSE-OBS
SSE-OBS does not need to interact with KMS, thereby having lower access latency and better performance than SSE-KMS. SSE-OBS is ideal for scenarios that require basic or batch encryption.
Billing
You are not billed for using SSE-OBS. However, requests for configuring SSE-OBS for buckets or objects will incur costs.
Important Notes
The ETag value of an encrypted object is the MD5 value of the ciphertext, rather than that of the plaintext.
Constraints
SSE-OBS only supports the AES-256 algorithm.
How SSE-OBS Works
Figure 1 shows how SSE-OBS works with envelope encryption:
- OBS derives the plaintext DEK from the system root key, and then encrypts the plaintext DEK to obtain the ciphertext DEK.
- OBS uses the plaintext DEK to encrypt data and then promptly deletes the plaintext DEK from memory.
- OBS stores the ciphertext DEK as metadata along with the ciphertext object.
Figure 2 shows how SSE-OBS decryption works:
- When an object is downloaded, OBS initiates a request for decrypting the ciphertext DEK.
- OBS decrypts the ciphertext DEK and returns the plaintext DEK.
- OBS uses the plaintext DEK to decrypt the ciphertext object, obtains the plaintext object, and then promptly deletes the plaintext DEK from memory.
Permissions Configuration
- To set a bucket's encryption method to SSE-OBS, you must be the bucket owner or have the required permissions (obs:bucket:PutEncryptionConfiguration and obs:bucket:GetEncryptionConfiguration in IAM or PutEncryptionConfiguration and GetEncryptionConfiguration in a bucket policy). For details, see OBS Permissions Control Overview, IAM Custom Policies, and Creating a Custom Bucket Policy.
- To use SSE-OBS to encrypt the object you are uploading, you must have the upload permission (obs:object:PutObject in IAM or PutObject in a bucket policy).
- To download objects encrypted using SSE-OBS, you must have the download permission (obs:object:GetObject in IAM or GetObject in a bucket policy).
- You can configure a bucket policy to enforce a specific server-side encryption method for objects uploaded to that bucket. For example, to deny any object upload requests that do not include the x-obs-server-side-encryption:"AES256" header for SSE-OBS, you can configure a bucket policy as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
{ "Statement": [ { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "PutObject", "Resource": "YourBucket/*", "Condition": { "StringNotEquals": { "x-obs-server-side-encryption": "AES256" } } } ] }
Configuring SSE-OBS for a Bucket
You can use OBS Console, APIs, or SDKs to configure SSE-OBS for a bucket.
Configuring SSE-OBS for an Object
You can use OBS Console, APIs, or SDKs to configure SSE-OBS for an object.
References
By copying an existing object to itself, you can apply encryption or change its encryption method. For details, see Changing the Encryption Status of an Existing Object.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot