Updated on 2025-08-22 GMT+08:00

Configuring Bucket Encryption

Functions

OBS uses the PUT method to create or update the default server-side encryption for a bucket.

After you configure encryption for a bucket, objects uploaded to this bucket will be encrypted with the bucket encryption settings you specified. Currently, OBS supports server-side encryption with KMS-managed keys (SSE-KMS) and OBS-managed keys (SSE-OBS). For details, see Server-Side Encryption.

To perform this operation, you must have the PutEncryptionConfiguration permission. By default, the bucket owner has this permission and can grant it to others.

For more information about permission control, see the permission control in the OBS Permission Configuration Guide.

Request Syntax (SSE-KMS AES256)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
PUT /?encryption  HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */*
Date: date 
Authorization: authorization string
Content-Length: length

<ServerSideEncryptionConfiguration>
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Request Syntax (SSE-OBS)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
PUT /?encryption HTTP/1.1 
User-Agent: curl/7.29.0 
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */* 
Date: date  
Authorization: authorization string 
Content-Length: length
 
<ServerSideEncryptionConfiguration> 
    <Rule> 
        <ApplyServerSideEncryptionByDefault> 
            <SSEAlgorithm>AES256</SSEAlgorithm> 
        </ApplyServerSideEncryptionByDefault> 
    </Rule> 
</ServerSideEncryptionConfiguration>

Request Parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.

Table 1 Configuration elements of bucket encryption

Parameter

Mandatory (Yes/No)

Type

Description

ServerSideEncryptionConfiguration

Yes

Container

Definition:

Root element of the default bucket encryption configuration. ServerSideEncryptionConfiguration is the parent node of Rule.

Constraints:

None

Range:

None

Default value:

None

Rule

Yes

Container

Definition:

The child element of the default bucket encryption configuration. Rule is the parent node of ApplyServerSideEncryptionByDefault.

Constraints:

None

Range:

For details, see Rule parameters.

Default value:

None

Table 2 Rule parameter description

Parameter

Mandatory (Yes/No)

Type

Description

ApplyServerSideEncryptionByDefault

Yes

Container

Definition:

The child element of the default bucket encryption configuration.

Constraints:

None

Range:

For details, see Table 3.

Default value:

None

Table 3 ApplyServerSideEncryptionByDefault parameters

Parameter

Mandatory (Yes/No)

Type

Description

SSEAlgorithm

Yes

String

Definition:

Server-side encryption algorithm used for the default encryption configuration of a bucket.

Constraints:

None

Range:

  • kms: SSE-KMS encryption and the AES256 algorithm are used.
  • AES256: SSE-OBS encryption and the AES256 algorithm are used.

Default value:

None

KMSMasterKeyID

No

String

Definition:

KMS master key ID used in SSE-KMS encryption.

Constraints:

  • If this parameter is not specified, the default master key will be used.
  • If BucketKeyEnabled is set to true, the value of KMSMasterKeyID is the ID of the master key created on KMS.

Range:

  • regionID:domainID:key/key_id
  • key_id

In the preceding formats:

Default value:

None

ProjectID

No

String

Definition:

ID of the project where the KMS master key belongs when SSE-KMS is used.

Constraints:

  • If the project is not the default one, you must use this parameter to specify the project ID.
  • If KMSMasterKeyID is not specified, do not set the project ID.
  • If a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects.

Range:

Project ID that matches KMSMasterKeyID, that is, the ID of the project to which the master key with the specified KMSMasterKeyID belongs

Default value:

None

Response Syntax

1
2
3
HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

The response to the request uses common headers. For details, see Table 1.

Response Elements

This response contains no elements.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request (SSE-KMS AES256)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> 
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Sample Response (SSE-KMS AES256)

1
2
3
4
5
6
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0

Sample Request (SSE-OBS)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
PUT /?encryption HTTP/1.1 
User-Agent: curl/7.29.0 
Host: bucketname.obs.region.myhuaweicloud.com 
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> 
    <Rule> 
        <ApplyServerSideEncryptionByDefault> 
            <SSEAlgorithm>AES256</SSEAlgorithm> 
        </ApplyServerSideEncryptionByDefault> 
    </Rule> 
</ServerSideEncryptionConfiguration>

Sample Response (SSE-OBS)

1
2
3
4
5
6
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0