Help Center/ Data Encryption Workshop/ Getting Started/ Using a Key to Encrypt Data in OBS
Updated on 2025-07-22 GMT+08:00
View PDF
Share

Using a Key to Encrypt Data in OBS

DEW is a cloud data encryption service. Key Management Service (KMS) provided by DEW is a secure, reliable, and easy-to-use cloud service that can help you manage and protect keys in a centralized manner.

With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server.

Procedure

Procedure

Description

Preparations

Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KMS permissions to the account.

Step 1: Creating a Bucket

Buckets are containers that store objects in OBS. Before you can store data, you must create a bucket.

Step 2: Creating a Key

With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server.

Step 3: Uploading Files to an OBS Bucket

Upload files to the OBS bucket and use the KMS key encrypt the files.

Preparations

  1. Before encrypting data in OBS, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services.

    If you have enabled Huawei Cloud, skip this step.

  2. Ensure that your account has sufficient balance.
  3. You have obtained KMS CMKFullAccess or higher permissions. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
    Table 1 KMS system roles

    Role

    Description

    Type

    Dependencies

    KMS administrator

    All permissions of KMS

    System-defined role

    None

    KMS CMKFullAccess

    All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

    KMS CMKReadOnlyAccess

    Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.

    System-defined policy

    None

Step 1: Creating a Bucket

Buckets are containers that store objects in OBS. Before you can store data, you must create a bucket.

  1. Log in to the DEW console.
  2. Click on the left and choose Storage > Object Storage Service.
  3. On the displayed page, click Create Bucket to store uploaded files. For details, see Creating a Bucket.

Step 2: Creating a Key

The following uses the AES-256 symmetric key as an example.

The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key.

  1. Log in to the DEW console.
  2. On the Key Management Service page, click Create Key in the upper right corner.
  3. On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 2.
    Figure 1 Creating a key

    Table 2 Mandatory parameters

    Parameter

    Example Value

    Description

    Name

    KMS-335c

    Custom key name, which cannot be empty.

    Key Algorithm

    AES-256

    Supported key algorithm types and description. For details, see Key algorithms supported by KMS.

    Usage

    ENCRYPT_DECRYPT

    The value cannot be changed after the key is created.

    For AES_256 symmetric keys, the default value is ENCRYPT_DECRYPT.

    Source

    Key Management Service

    The following key material sources are supported:

    • Key Management Service: KMS generates key materials.
    • External: Import local key materials to KMS.
  4. Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.

Step 3: Uploading Files to an OBS Bucket

Upload files to the OBS bucket and use the KMS key encrypt the files.

  1. Click on the left and choose Storage > Object Storage Service.
  2. Click the bucket created in Step 1: Creating a Bucket to access its details page.
  3. On the displayed page, click Upload Object. Then, configure the parameters as shown in Figure 2. For details about the parameters, see Table 3.
    Figure 2 Uploading objects

    Table 3 Mandatory parameters

    Parameter

    Example Value

    Description

    Storage Class

    Inherit from bucket

    Storage class of the object. If this parameter is not specified, the objects you upload inherit the default storage class of the bucket.

    • Standard: It is for storing a large number of hot files or small files that are frequently accessed (multiple times per month on average) and require fast access.
    • Infrequent Access: It is for storing data that is less frequently accessed (less than 12 times per year on average), but when needed, the access has to be fast.
    • Archive: It is for archiving data that is rarely accessed (once a year on average) and does not require fast access.
    • Deep Archive: It is for storing data that is very rarely accessed and does not require fast access.

    Upload Object

    -

    Drag and drop the files or folders you want to upload to the Upload Object area.

    You can also click add files and choose the local files.

    Server-Side Encryption

    If server-side encryption is enabled, new objects uploaded to this bucket will be automatically encrypted.

    Encryption Method

    SSE-KMS

    KMS generates and keeps keys, and OBS uses the keys to encrypt objects.

    Encryption Key Type

    Custom

    AES256/KMS-335c

    Select the encryption key type.

    In this case, select the type of the key created in Step 2: Creating a Key.
  4. Click OK.