Updated on 2024-05-31 GMT+08:00

Uploading an Object in Server-Side Encryption Mode

OBS allows you to encrypt objects with server-side encryption so that the objects can be securely stored in OBS.

In a bucket with server-side encryption disabled, objects uploaded to it are not encrypted by default, but you can configure server-side encryption for the objects when uploading them. In a bucket with server-side encryption enabled, objects uploaded to it can inherit the encryption settings of the bucket, and you can also separately configure encryption for the objects.


  • The object encryption status cannot be changed.
  • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
  • If an object is server-side encrypted and does not have any IAM agency, other accounts and users cannot access the object even if they can read this object.


In the region where OBS is deployed, the KMS Administrator permission has been added to the user group. For details about how to add the permission, see Assigning Permissions to an IAM User. If the current account or user is the grantee, it also requires the KMS Administrator permission.

For details about DEW pricing, see the Product Pricing Details.


  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate to go to the Objects page.
  3. Click Upload Object. The Upload Object dialog box is displayed.
  4. Add the files to be uploaded.
  5. Select SSE-KMS or SSE-OBS.

    If you choose SSE-KMS for encryption, you must specify an encryption key type (Default or Custom). If Default is used, the default key of the current region will be used to encrypt your objects. If there is no such a default key, OBS creates one the first time you upload an object. If Custom is used, you can choose a custom key you created on the KMS console to encrypt your objects.

    For details, see Creating a Key.

    Figure 1 Choosing SSE-KMS for server-side encryption

    When SSE-OBS is chosen, the keys created and managed by OBS are used for encryption.

    Figure 2 Choosing SSE-OBS for server-side encryption

  6. Click Upload.

    After the object is uploaded, you can view its encryption status on its details page.