SSE-C
Functions
With SSE-C used, OBS uses the keys and MD5 values provided by customers for server-side encryption.
Newly Added Headers
OBS does not store your encryption keys. If you lost them, you lost the objects. Six headers are added to support SSE-C.
The following table lists headers that are required when you use SSE-C to encrypt objects.
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
x-obs-server-side-encryption-customer-algorithm |
Yes |
String |
Definition: Indicates the encryption algorithm for the object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 Constraints: This header is included in a response if SSE-C is used for server-side encryption. Range: AES256: SSE-C encryption and the AES256 algorithm are used. Default value: None |
|
x-obs-server-side-encryption-customer-key |
Yes |
String |
Definition: The key for encrypting objects when SSE-C is used. Its value is a Base64-encoded 256-bit key. Example: x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= Constraints: This header is used only when SSE-C is used for encryption. Range: None Default value: None |
|
x-obs-server-side-encryption-customer-key-MD5 |
Yes |
String |
Definition: Indicates the MD5 value of the key for encrypting objects when SSE-C is used. Its value is a Base64-encoded MD5 value. The MD5 value is used to ensure data integrity during key transmission. Example: x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== Constraints: This header is used only when SSE-C is used for encryption. Range: MD5 value of the key. Default value: None |
APIs where the newly added headers apply:
- Uploading an Object - PUT
- Uploading an Object - POST
- Copying an Object: The newly added headers apply to the object copy.
- Querying Object Metadata
- Downloading an Object
- Initiating a Multipart Upload
- Uploading Parts
- Copying Parts: The newly added headers apply to target parts.
The following table lists three headers that are added for CopyObject and UploadPart-Copy operations to support source objects encrypted using SSE-C.
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
x-obs-copy-source-server-side-encryption-customer-algorithm |
Yes |
String |
Definition: Indicates the algorithm for decrypting the source object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 Constraints: This header is used only when SSE-C is used for encryption. Range: AES256: SSE-C encryption and the AES256 algorithm are used. Default value: None |
|
x-obs-copy-source-server-side-encryption-customer-key |
Yes |
String |
Definition: Indicates the Base64 value of the key for decrypting the source object when SSE-C is used. Example: x-obs-copy-source-server-side-encryption-customer-algorithm: K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= Constraints: This header is used only when SSE-C is used for encryption. Range: None Default value: None |
|
x-obs-copy-source-server-side-encryption-customer-key-MD5 |
Yes |
String |
Definition: Indicates the MD5 value of the key for decrypting the source object when SSE-C is used. The MD5 value is used to ensure data integrity during key transmission. Example: x-obs-copy-source-server-side-encryption-customer-key:4XvB3tbNTN+tIEVa0/fGaQ== Constraints: This header is used only when SSE-C is used for encryption. Range: MD5 value of the key. Default value: None |
Sample Request: Uploading an Object Encrypted with SSE-C
1 2 3 4 5 6 7 8 9 10 11 12 |
PUT /encryp2 HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Wed, 06 Jun 2018 09:12:00 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0= x-obs-server-side-encryption-customer-algorithm:AES256 x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== Content-Length: 5242 [5242 Byte object contents] |
Sample Response: Uploading an Object Encrypted with SSE-C
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D45E0017055619BD02B8 ETag: "0f91242c7f3d86f98ae572a686d0696e" x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ== x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCSSAJ8bTNJV0X+Ote1PtuWecqyMh6zBJ Date: Wed, 06 Jun 2018 09:12:00 GMT Content-Length: 0 |
Sample Request: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PUT /kmsobject HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Wed, 06 Jun 2018 09:20:10 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0= x-obs-copy-source-server-side-encryption-customer-algorithm:AES256 x-obs-copy-source-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-copy-source-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== x-obs-server-side-encryption: kms x-obs-copy-source: /examplebucket/encryp2 Content-Length: 5242 [5242 Byte object contents] |
Sample Response: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB7800000164848E0FC70528B9D92C41 ETag: "1072e1b96b47d7ec859710068aa70d57" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTkkRzQXs9ECzZcavVRncBqqYNkoAEsr Date: Wed, 06 Jun 2018 09:20:10 GMT Content-Length: 0 |
Sample Request: Uploading an SSE-C Encrypted Object Using a Signed URL
PUT /encrypobject?AccessKeyId=H4IPJX0TQTHTHEBQQCEC&Expires=1532688887&Signature=EQmDuOhaLUrzrzRNZxwS72CXeXM%3D HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== Content-Length: 5242 Expect: 100-continue [5242 Byte object contents]
Sample Response: Uploading an SSE-C Encrypted Object Using a Signed URL
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 100 Continue HTTP/1.1 200 OK Server: OBS x-obs-request-id: 804F00000164DB5E5B7FB908D3BA8E00 ETag: "1072e1b96b47d7ec859710068aa70d57" x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ== x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTlpxILjhVK/heKOWIP8Wn2IWmQoerfw Content-Length: 0 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
