Updated on 2024-02-20 GMT+08:00

SSE-OBS

Functions

With SSE-OBS, OBS uses the keys provided by itself for server-side encryption. Unlike SSE-KMS where KMS manages keys, in SSE-OBS, OBS manages keys.

Newly Added Headers

Use the header listed in Table 1 to implement SSE-OBS.

You can also configure the default encryption for a bucket to encrypt objects you upload to the bucket. After default encryption is enabled for a bucket, any object upload request without encryption header included will inherit the bucket's encryption settings. For details, see Configuring Bucket Encryption.

Table 1 Header used in SSE-OBS

Header

Description

x-obs-server-side-encryption

Indicates that SSE-OBS is used for encrypting objects.

Type: string

Example: x-obs-server-side-encryption:AES256

APIs Where SSE-OBS Headers Apply

You can configure headers about SSE-OBS in the APIs below:

You can configure a bucket policy to restrict the request headers for a specified bucket. For example, if you require that object upload requests do not contain header x-obs-server-side-encryption:"AES256", you can use the following bucket policy:

{ 
    "Statement": [ 
        { 
            "Sid": "DenyUnEncryptedObjectUploads", 
            "Effect": "Deny", 
            "Principal": "*", 
            "Action": "PutObject", 
            "Resource": "YourBucket/*", 
            "Condition": { 
                "StringNotEquals": { 
                    "x-obs-server-side-encryption": "AES256" 
                } 
            } 
        } 
    ] 
}

Sample Request: Using the Default Key to Encrypt an Object

PUT /encryp1 HTTP/1.1 
User-Agent: curl/7.29.0 
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */* 
Date: Wed, 06 Jun 2018 09:08:21 GMT 
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU= 
x-obs-server-side-encryption:AES256 
Content-Length: 5242 
Expect: 100-continue 
 
[5242 Byte object contents]

Sample Response: Using the Default Key to Encrypt an Object

HTTP/1.1 200 OK 
Server: OBS 
x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482 
ETag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: AES256 
x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC 
Date: Wed, 06 Jun 2018 09:08:21 GMT 
Content-Length: 0

Sample Request: Copying an Object as an Encrypted Object

PUT /destobject HTTP/1.1 
User-Agent: curl/7.29.0 
Host: examplebucket.obs.region.myhuaweicloud.com
x-obs-server-side-encryption:AES256 
Accept: */* 
Date: Wed, 06 Jun 2018 09:10:29 GMT 
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI= 
x-obs-copy-source: /bucket/srcobject1

Sample Response: Copying an Object as an Encrypted Object

HTTP/1.1 200 OK 
Server: OBS 
x-obs-request-id: BB78000001648480AF3900CED7F15155 
ETag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: AES256 
x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS 
Date: Wed, 06 Jun 2018 09:10:29 GMT 
Content-Length: 0

Sample Request: Uploading an Encrypted Object Using a Signed URL

PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&Expires=1534152518&x-obs-server-side-encryption=AES256&Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1 
User-Agent: curl/7.29.0 
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */* 
Date: Wed, 06 Jun 2018 09:10:29 GMT

Sample Response: Uploading an Encrypted Object Using a Signed URL

HTTP/1.1 200 OK 
Server: OBS 
x-obs-request-id: BB78000001648480AF3900CED7F15155 
ETag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: AES256 
x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS 
Date: Wed, 06 Jun 2018 09:10:29 GMT 
Content-Length: 0