SSE-C
Functions
With SSE-C used, OBS uses the keys and MD5 values provided by customers for server-side encryption.
Newly Added Headers
OBS does not store your encryption keys. If you lost them, you lost the objects. Six headers are added to support SSE-C.
The following table lists headers that are required when you use SSE-C to encrypt objects.
|
Element |
Description |
|---|---|
|
x-obs-server-side-encryption-customer-algorithm |
Indicates the encryption algorithm for the object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 |
|
x-obs-server-side-encryption-customer-key |
Indicates the key for encrypting objects when SSE-C is used. Its value is a Base64-encoded 256-bit key. Example: x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= |
|
x-obs-server-side-encryption-customer-key-MD5 |
Indicates the MD5 value of the key for encrypting objects when SSE-C is used. Its value is a Base64-encoded MD5 hash. The MD5 value is used to check whether any error occurs during the transmission of the key. Example: x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== |
APIs where the newly added headers apply:
- Uploading an Object - PUT
- Uploading an Object - POST
- Copying an Object: The newly added headers apply to the object copy.
- Querying Object Metadata
- Downloading an Object
- Initiating a Multipart Upload
- Uploading Parts
- Copying Parts: The newly added headers apply to target parts.
The following table lists three headers that are added for CopyObject and UploadPart-Copy operations to support source objects encrypted using SSE-C.
|
Element |
Description |
|---|---|
|
x-obs-copy-source-server-side-encryption-customer-algorithm |
Indicates the algorithm for decrypting the source object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 |
|
x-obs-copy-source-server-side-encryption-customer-key |
Indicates the key for decrypting the source object when SSE-C is used. Example: x-obs-copy-source-server-side-encryption-customer-algorithm: K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= |
|
x-obs-copy-source-server-side-encryption-customer-key-MD5 |
Indicates the MD5 value of the key for decrypting the source object when SSE-C is used. The MD5 value is used to check whether any error occurs during the transmission of the key. Example: x-obs-copy-source-server-side-encryption-customer-key:4XvB3tbNTN+tIEVa0/fGaQ== |
Sample Request: Uploading an Object Encrypted with SSE-C
1 2 3 4 5 6 7 8 9 10 11 12 |
PUT /encryp2 HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Wed, 06 Jun 2018 09:12:00 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0= x-obs-server-side-encryption-customer-algorithm:AES256 x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== Content-Length: 5242 [5242 Byte object contents] |
Sample Response: Uploading an Object Encrypted with SSE-C
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D45E0017055619BD02B8 ETag: "0f91242c7f3d86f98ae572a686d0696e" x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ== x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCSSAJ8bTNJV0X+Ote1PtuWecqyMh6zBJ Date: Wed, 06 Jun 2018 09:12:00 GMT Content-Length: 0 |
Sample Request: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PUT /kmsobject HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Wed, 06 Jun 2018 09:20:10 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0= x-obs-copy-source-server-side-encryption-customer-algorithm:AES256 x-obs-copy-source-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-copy-source-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== x-obs-server-side-encryption: kms x-obs-copy-source: /examplebucket/encryp2 Content-Length: 5242 [5242 Byte object contents] |
Sample Response: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB7800000164848E0FC70528B9D92C41 ETag: "1072e1b96b47d7ec859710068aa70d57" x-obs-server-side-encryption: kms x-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTkkRzQXs9ECzZcavVRncBqqYNkoAEsr Date: Wed, 06 Jun 2018 09:20:10 GMT Content-Length: 0 |
Sample Request: Uploading an SSE-C Encrypted Object Using a Signed URL
PUT /encrypobject?AccessKeyId=H4IPJX0TQTHTHEBQQCEC&Expires=1532688887&Signature=EQmDuOhaLUrzrzRNZxwS72CXeXM%3D HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== Content-Length: 5242 Expect: 100-continue [5242 Byte object contents]
Sample Response: Uploading an SSE-C Encrypted Object Using a Signed URL
1 2 3 4 5 6 7 8 9 |
HTTP/1.1 100 Continue HTTP/1.1 200 OK Server: OBS x-obs-request-id: 804F00000164DB5E5B7FB908D3BA8E00 ETag: "1072e1b96b47d7ec859710068aa70d57" x-obs-server-side-encryption-customer-algorithm: AES256 x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ== x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTlpxILjhVK/heKOWIP8Wn2IWmQoerfw Content-Length: 0 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
