Uploading an Object in Server-Side Encryption Mode

Constraints

• The object encryption status cannot be changed.
• A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
• If an object is server-side encrypted and does not have any IAM agency, other accounts and users cannot access the object even if they can read this object.

Prerequisites

In the region where OBS is deployed, the KMS Administrator permission has been added to the user group. For details about how to add the permission, see Assigning Permissions to an IAM User. If the current account or user is the grantee, it also requires the KMS Administrator permission.

For details about DEW pricing, see the Product Pricing Details.

Procedure

1. In the navigation pane of OBS Console, choose Object Storage.
2. In the bucket list, click the bucket you want to operate to go to the Objects page.
3. Click Upload Object. The Upload Object dialog box is displayed.
4. Add the files to be uploaded.
5. Select SSE-KMS or SSE-OBS.

   If you choose SSE-KMS for encryption, you must specify an encryption key type (Default or Custom). If Default is used, the default key of the current region will be used to encrypt your objects. If there is no such a default key, OBS creates one the first time you upload an object. If Custom is used, you can choose a custom key you created on the KMS console to encrypt your objects.

   For details, see Creating a Key.

   Figure 1 Choosing SSE-KMS for server-side encryption
   

   When SSE-OBS is chosen, the keys created and managed by OBS are used for encryption.

   Figure 2 Choosing SSE-OBS for server-side encryption
   

6. Click Upload.

   After the object is uploaded, you can view its encryption status on its details page.