Configuring Bucket Encryption
Functions
OBS uses the PUT method to create or update the default server-side encryption for a bucket.
After you configure encryption for a bucket, objects uploaded to this bucket will be encrypted with the bucket encryption settings you specified. Currently, OBS supports server-side encryption with KMS-managed keys (SSE-KMS) and OBS-managed keys (SSE-OBS). For details, see Server-Side Encryption.
To perform this operation, you must have the PutEncryptionConfiguration permission. By default, the bucket owner has this permission and can grant it to others.
For more information about permission control, see the permission control in the OBS Permission Configuration Guide.
Request Syntax (SSE-KMS AES256)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: date Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Request Syntax (SSE-OBS)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: date Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Request Parameters
This request contains no message parameters.
Request Headers
This request uses common headers. For details, see Table 3.
Request Elements
In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.
|
Header |
Description |
Mandatory |
|---|---|---|
|
ServerSideEncryptionConfiguration |
Root element of the default encryption configuration of a bucket. Type: container Parent: none Child: Rule |
Yes |
|
Rule |
Sub-element of the default encryption configuration of a bucket. Type: container Parent: ServerSideEncryptionConfiguration Child: ApplyServerSideEncryptionByDefault |
Yes |
|
ApplyServerSideEncryptionByDefault |
Sub-element of the default encryption configuration of a bucket. Type: container Parent: Rule Child: SSEAlgorithm and KMSMasterKeyID |
Yes |
|
SSEAlgorithm |
Server-side encryption algorithm used for the default encryption configuration of a bucket. Type: string Value options:
Parent: ApplyServerSideEncryptionByDefault |
Yes |
|
KMSMasterKeyID |
Customer master key (CMK) used in SSE-KMS encryption mode. If you do not specify this header, the default master key will be used. Type: string Valid value formats are as follows:
In the preceding formats:
Parent: ApplyServerSideEncryptionByDefault |
No |
|
ProjectID |
ID of the project where the KMS master key belongs when SSE-KMS is used. If the project is not the default one, you must use this parameter to specify the project ID. Type: string Value options:
Parent: ApplyServerSideEncryptionByDefault
NOTE:
When a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects. |
No |
Response Syntax
1 2 3 |
HTTP/1.1 status_code Date: date Content-Length: length |
Response Headers
The response to the request uses common headers. For details, see Table 1.
Response Elements
This response contains no elements.
Error Responses
No special error responses are returned. For details about error responses, see Table 2.
Sample Request (SSE-KMS AES256)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Thu, 21 Feb 2019 03:05:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI= Content-Length: 778 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Sample Response (SSE-KMS AES256)
1 2 3 4 5 6 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643670AC06E7B9A7767921 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm Date: Thu, 21 Feb 2019 03:05:34 GMT Content-Length: 0 |
Sample Request (SSE-OBS)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: Thu, 21 Feb 2019 03:05:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI= Content-Length: 778 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Sample Response (SSE-OBS)
1 2 3 4 5 6 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643670AC06E7B9A7767921 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm Date: Thu, 21 Feb 2019 03:05:34 GMT Content-Length: 0 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
