Updated on 2025-10-22 GMT+08:00

Server-Side Encryption

There are three OBS encryption methods: server-side encryption with KMS-managed keys (SSE-KMS), server-side encryption with OBS-managed keys (SSE-OBS), and server-side encryption with customer-provided keys (SSE-C). For more information, see Server-Side Encryption.

Overview of Server-Side Encryption APIs

You can use APIs to configure encryption for existing buckets, as well as obtain and delete encryption configuration of existing buckets. For details, see Configuring Bucket Encryption, Obtaining Bucket Encryption Configuration, and Deleting the Encryption Configuration of a Bucket.

You can also configure encryption in the APIs for creating a bucket, uploading, downloading, and copying an object, as well as uploading an object in a multipart upload. The following table lists these APIs and parameters involved.

Table 1 Server-side encryption APIs and parameters

Type

Header

Description

API for Creating a Bucket

API for Uploading an Object - PUT

API for Uploading an Object - POST

Request headers

x-obs-server-side-encryption

Specifies the encryption method.

kms: SSE-KMS is used for encryption.

obs: SSE-OBS is used for encryption.

kms: SSE-KMS is used for encryption.

AES256: SSE-OBS and the AES-256 algorithm are used.

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

AES256: The AES-256 algorithm is used. AES-256 can be used for both SSE-KMS and SSE-OBS.

SM4: The SM4 algorithm is used. SM4 can only be used for SSE-KMS.

If this header is not included, the AES-256 algorithm is used.

SM4: The SM4 algorithm is used.

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

Key ID

Key ID

Key ID

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

Project ID

-

-

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

-

AES256: SSE-C and the AES-256 algorithm are used.

x-obs-server-side-encryption-customer-key

Specifies the plaintext key encoded in Base64 when SSE-C is used.

-

The plaintext key encoded in Base64

x-obs-server-side-encryption-customer-key-MD5

Specifies the MD5 value of the key when SSE-C is used.

-

The Base64-encoded MD5 value of the key

x-obs-copy-source-server-side-encryption-customer-algorithm

Specifies the algorithm for object copies when SSE-C is used.

-

-

-

x-obs-copy-source-server-side-encryption-customer-key

Specifies the Base64-encoded key for object copies when SSE-C is used.

-

-

-

x-obs-copy-source-server-side-encryption-customer-key-MD5

Specifies the MD5 value of the key used for object copies when SSE-C is used.

-

-

-

Response headers

x-obs-server-side-encryption

Specifies the server-side encryption method.

kms: SSE-KMS is used for encryption.

obs: SSE-OBS is used for encryption.

kms: SSE-KMS is used for encryption.

AES256: SSE-OBS and the AES-256 algorithm are used.

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

AES256: The AES-256 algorithm is used. AES-256 can be used for both SSE-KMS and SSE-OBS.

SM4: The SM4 algorithm is used. SM4 can only be used for SSE-KMS.

If this header is not included, the AES-256 algorithm is used.

SM4: The SM4 algorithm is used.

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

The key ID is returned only for custom keys.

The key ID is returned for both default keys and custom keys.

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

The project ID is returned only for custom keys.

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

-

AES256: SSE-C and the AES-256 algorithm are used.

x-obs-server-side-encryption-customer-key-MD5

Specifies the Base64-encoded MD5 value of the key when SSE-C is used.

-

The Base64-encoded MD5 value of the key

Table 2 Server-side encryption APIs and parameters

Type

Header

Description

API for Copying an Object

API for Initiating a Multipart Upload

API for Uploading Parts

API for Copying Parts

API for Completing a Multipart Upload

Request headers

x-obs-server-side-encryption

Specifies the encryption method.

kms: SSE-KMS is used for encryption.

AES256: SSE-OBS and the AES-256 algorithm are used.

-

-

-

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

AES256: The AES-256 algorithm is used.

SM4: The SM4 algorithm is used.

-

-

-

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

Key ID

-

-

-

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

-

-

-

-

-

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

AES256: SSE-C and the AES-256 algorithm are used.

-

x-obs-server-side-encryption-customer-key

Specifies the plaintext key encoded in Base64 when SSE-C is used.

The plaintext key encoded in Base64

-

x-obs-server-side-encryption-customer-key-MD5

Specifies the MD5 value of the key when SSE-C is used.

The Base64-encoded MD5 value of the key

-

x-obs-copy-source-server-side-encryption-customer-algorithm

Specifies the algorithm for object copies when SSE-C is used.

AES256: The target object copy is encrypted using SSE-C and the AES-256 algorithm.

-

-

AES256: The target object copy is encrypted using SSE-C and the AES-256 algorithm.

-

x-obs-copy-source-server-side-encryption-customer-key

Specifies the Base64-encoded key for object copies when SSE-C is used.

The plaintext key encoded in Base64

-

-

The plaintext key encoded in Base64

-

x-obs-copy-source-server-side-encryption-customer-key-MD5

Specifies the Base64-encoded MD5 value of the key used for object copies when SSE-C is used.

The Base64-encoded MD5 value of the key

-

-

The Base64-encoded MD5 value of the key

-

Response headers

x-obs-server-side-encryption

Specifies the encryption method.

kms: SSE-KMS is used for encryption.

AES256: SSE-OBS and the AES-256 algorithm are used.

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

If this header is not included, the AES-256 algorithm is used.

SM4: The SM4 algorithm is used.

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

Key ID

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

The project ID is returned only for custom keys.

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

AES256: SSE-C and the AES-256 algorithm are used.

x-obs-server-side-encryption-customer-key-MD5

Specifies the Base64-encoded MD5 value of the key when SSE-C is used.

The Base64-encoded MD5 value of the key

Table 3 Server-side encryption APIs and parameters

Type

Header

Description

API for Downloading an Object

API for Querying Object Metadata

Request headers

x-obs-server-side-encryption

Specifies the encryption method.

-

-

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

-

-

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

-

-

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

-

-

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

AES256: SSE-C and the AES-256 algorithm are used.

x-obs-server-side-encryption-customer-key

Specifies the plaintext key encoded in Base64 when SSE-C is used.

The plaintext key encoded in Base64

x-obs-server-side-encryption-customer-key-MD5

Specifies the MD5 value of the key when SSE-C is used.

The Base64-encoded MD5 value of the key

x-obs-copy-source-server-side-encryption-customer-algorithm

Specifies the algorithm for object copies when SSE-C is used.

-

-

x-obs-copy-source-server-side-encryption-customer-key

Specifies the Base64-encoded key for object copies when SSE-C is used.

-

-

x-obs-copy-source-server-side-encryption-customer-key-MD5

Specifies the Base64-encoded MD5 value of the key used for object copies when SSE-C is used.

-

-

Response headers

x-obs-server-side-encryption

Specifies the encryption method.

kms: SSE-KMS is used for encryption.

AES256: SSE-OBS and the AES-256 algorithm are used.

x-obs-server-side-data-encryption

Specifies the algorithm used for server-side encryption.

If this header is not included, the AES-256 algorithm is used.

SM4: The SM4 algorithm is used.

x-obs-server-side-encryption-kms-key-id

Specifies the ID of the KMS CMK when SSE-KMS is used.

Key ID

x-obs-sse-kms-key-project-id

Specifies the ID of the project to which the KMS CMK belongs when SSE-KMS is used.

-

-

x-obs-server-side-encryption-customer-algorithm

Specifies the algorithm for SSE-C.

AES256: SSE-C and the AES-256 algorithm are used.

x-obs-server-side-encryption-customer-key-MD5

Specifies the Base64-encoded MD5 value of the key when SSE-C is used.

The Base64-encoded MD5 value of the key

Requirements for Transmission Protocols of Server-Side Encryption APIs

Table 4 Requirements for the transmission protocol used by the operations related to the SSE-C

Operation

Transfer Protocol

PutObject

HTTPS

PostObject

HTTPS

InitiateMultipartUpload

HTTPS

HeadObject

HTTPS

GetObject

HTTPS

UploadPart

HTTPS

CompleteMultipartUpload

HTTP or HTTPS

Table 5 Requirements for the transfer protocol used by the operations related to the SSE-KMS

Operation

Transfer Protocol

PutObject

HTTPS

PostObject

HTTPS

InitiateMultipartUpload

HTTPS

HeadObject

HTTP or HTTPS

GetObject

HTTPS

UploadPart

HTTPS

CompleteMultipartUpload

HTTP or HTTPS

Table 6 Requirements for transfer protocol used by the CopyObject operation

Source Object

Target Object

Transfer Protocol

Non-encrypted object

Object encrypted using SSE-KMS

HTTPS

Object encrypted using SSE-KMS

Object encrypted using SSE-KMS

HTTPS

Object encrypted using SSE-OBS

Object encrypted using SSE-KMS

HTTPS

Object encrypted using SSE-C

Object encrypted using SSE-KMS

HTTPS

Non-encrypted object

Object encrypted using SSE-C

HTTPS

Object encrypted using SSE-KMS

Object encrypted using SSE-C

HTTPS

Object encrypted using SSE-OBS

Object encrypted using SSE-C

HTTPS

Object encrypted using SSE-C

Object encrypted using SSE-C

HTTPS

Non-encrypted object

Non-encrypted object

HTTP or HTTPS

Object encrypted using SSE-KMS

Non-encrypted object

HTTP or HTTPS

Object encrypted using SSE-OBS

Non-encrypted object

HTTP or HTTPS

Object encrypted using SSE-C

Non-encrypted object

HTTP or HTTPS

Non-encrypted object

Object encrypted using SSE-OBS

HTTPS

Object encrypted using SSE-KMS

Object encrypted using SSE-OBS

HTTPS

Object encrypted using SSE-OBS

Object encrypted using SSE-OBS

HTTPS

Object encrypted using SSE-C

Object encrypted using SSE-OBS

HTTPS

Table 7 Requirements for the transfer protocol used by the UploadPart-Copy operation

Source Object

Target Part

Transfer Protocol

Non-encrypted object

Part encrypted using SSE-KMS

HTTP or HTTPS

Object encrypted using SSE-KMS

Part encrypted using SSE-KMS

HTTP or HTTPS

Object encrypted using SSE-OBS

Part encrypted using SSE-KMS

HTTP or HTTPS

Object encrypted using SSE-C

Part encrypted using SSE-KMS

HTTP or HTTPS

Non-encrypted object

Part encrypted using SSE-C

HTTPS

Object encrypted using SSE-KMS

Part encrypted using SSE-C

HTTPS

Object encrypted using SSE-OBS

Part encrypted using SSE-C

HTTPS

Object encrypted using SSE-C

Part encrypted using SSE-C

HTTPS

Non-encrypted object

Non-encrypted part

HTTP or HTTPS

Object encrypted using SSE-KMS

Non-encrypted part

HTTP or HTTPS

Object encrypted using SSE-OBS

Non-encrypted part

HTTP or HTTPS

Object encrypted using SSE-C

Non-encrypted part

HTTP or HTTPS

Non-encrypted object

Part encrypted using SSE-OBS

HTTP or HTTPS

Object encrypted using SSE-KMS

Part encrypted using SSE-OBS

HTTP or HTTPS

Object encrypted using SSE-OBS

Part encrypted using SSE-OBS

HTTP or HTTPS

Object encrypted using SSE-C

Part encrypted using SSE-OBS

HTTP or HTTPS