Updated on 2023-04-26 GMT+08:00

Uploading a File in Server-Side Encryption Mode

OBS allows you to encrypt objects using server-side encryption so that the objects can be securely stored in OBS.

If default encryption is not enabled for a bucket, the files you upload to this bucket are not encrypted by default, but you can configure server-side encryption when uploading files. If a bucket has already had default encryption enabled, you can configure the files you upload to this bucket to inherit the encryption settings from this bucket or separately configure server-side encryption for the files.

Limitations and Constraints

  • The object encryption status cannot be changed.
  • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
  • Objects encrypted on the server side cannot be shared.
  • If an object is server-side encrypted and does not have any IAM agency, other accounts and users cannot access the object even if they can read this object.


In the region where OBS is deployed, the KMS Administrator permission has been added to the user group. For details about how to add the permission, see Assigning Permissions to an IAM User. If the current account or user is the grantee, it also requires the KMS Administrator permission.

For details about DEW pricing, see the Product Pricing Details.


  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want. The Objects page is displayed.
  3. Click Upload Object. The Upload Object dialog box is displayed.
  4. Add the files to be uploaded.
  5. Choose SSE-KMS. You can select the default key in the current region to encrypt the objects you upload to the bucket. If you do not have a default key, OBS automatically creates one the first time you upload an object. You can also choose a custom key for encryption. If no such key is available, click Create KMS Key to create one on the KMS console.

    For details, see Creating a CMK.

    When server-side encryption is enabled for a bucket, you can select Inherit from bucket when uploading an object, for the object to inherit the encryption settings from the bucket.

    Figure 1 Encrypting an object to be uploaded

  6. Click Upload.

    After the object is uploaded successfully, you can view its encryption status in the object list.