Using a Key to Encrypt Data in OBS
DEW is a cloud data encryption service. Key Management Service (KMS) provided by DEW is a secure, reliable, and easy-to-use cloud service that can help you manage and protect keys in a centralized manner.
With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server.
Procedure
Procedure |
Description |
---|---|
Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant KMS permissions to the account. |
|
Buckets are containers that store objects in OBS. Before you can store data, you must create a bucket. |
|
With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server. |
|
Upload files to the OBS bucket and use the KMS key encrypt the files. |
Preparations
- Before encrypting data in OBS, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services.
If you have enabled Huawei Cloud, skip this step.
- Ensure that your account has sufficient balance.
- You have obtained KMS CMKFullAccess or higher permissions. For details, see Creating a User and Authorizing the User the Permission to Access DEW.
Table 1 KMS system roles Role
Description
Type
Dependencies
KMS administrator
All permissions of KMS
System-defined role
None
KMS CMKFullAccess
All permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.
System-defined policy
None
KMS CMKReadOnlyAccess
Read-only permissions for KMS keys. Users with these permissions can perform all the operations allowed by policies.
System-defined policy
None
Step 1: Creating a Bucket
Buckets are containers that store objects in OBS. Before you can store data, you must create a bucket.
- Log in to the DEW console.
- Click
on the left and choose .
- On the displayed page, click Create Bucket to store uploaded files. For details, see Creating a Bucket.
Step 2: Creating a Key
The following uses the AES-256 symmetric key as an example.
The created key can be used only in the current region. To use it in other regions, switch to the target region and create a key or use a regional key.
- Log in to the DEW console.
- On the Key Management Service page, click Create Key in the upper right corner.
- On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 2.
Figure 1 Creating a key
Table 2 Mandatory parameters Parameter
Example Value
Description
Name
KMS-335c
Custom key name, which cannot be empty.
Key Algorithm
AES-256
Supported key algorithm types and description. For details, see Key algorithms supported by KMS.
Usage
ENCRYPT_DECRYPT
The value cannot be changed after the key is created.
For AES_256 symmetric keys, the default value is ENCRYPT_DECRYPT.
Source
Key Management Service
The following key material sources are supported:
- Key Management Service: KMS generates key materials.
- External: Import local key materials to KMS.
- Click OK. A message is displayed in the upper right corner of the page, indicating that the key is created. In the key list, you can view the created keys, which are in the Enabled state by default.
Step 3: Uploading Files to an OBS Bucket
Upload files to the OBS bucket and use the KMS key encrypt the files.
- Click
on the left and choose .
- Click the bucket created in Step 1: Creating a Bucket to access its details page.
- On the displayed page, click Upload Object. Then, configure the parameters as shown in Figure 2. For details about the parameters, see Table 3.
Table 3 Mandatory parameters Parameter
Example Value
Description
Storage Class
Inherit from bucket
Storage class of the object. If this parameter is not specified, the objects you upload inherit the default storage class of the bucket.
- Standard: It is for storing a large number of hot files or small files that are frequently accessed (multiple times per month on average) and require fast access.
- Infrequent Access: It is for storing data that is less frequently accessed (less than 12 times per year on average), but when needed, the access has to be fast.
- Archive: It is for archiving data that is rarely accessed (once a year on average) and does not require fast access.
- Deep Archive: It is for storing data that is very rarely accessed and does not require fast access.
Upload Object
-
Drag and drop the files or folders you want to upload to the Upload Object area.
You can also click add files and choose the local files.
Server-Side Encryption
If server-side encryption is enabled, new objects uploaded to this bucket will be automatically encrypted.
Encryption Method
SSE-KMS
KMS generates and keeps keys, and OBS uses the keys to encrypt objects.
Encryption Key Type
Custom
AES256/KMS-335c
Select the encryption key type.
In this case, select the type of the key created in Step 2: Creating a Key.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot