Server-Side Encryption Overview

Server-side encryption helps secure data stored in OBS and meet compliance requirements. It encrypts data at rest, storing data as ciphertext on physical storage media like hard disks. This ensures that even if the media is lost or accessed without authorization, the data remains protected. When the data is accessed, the OBS server decrypts it and then returns the plaintext data.

There are three OBS encryption methods: server-side encryption with KMS-managed keys (SSE-KMS), server-side encryption with OBS-managed keys (SSE-OBS), and server-side encryption with customer-provided keys (SSE-C).

**Table 1** Three server-side encryption methods
Comparison Dimension	SSE-KMS	SSE-OBS	SSE-C
Scenarios	Scenarios that require high compliance and security. Keys are generated by third-party validated Hardware Secure Modules (HSMs). Access to keys is controlled and all operations involving keys are traceable by logs.	Scenarios that require basic encryption and batch processing. OBS does not need to interact with KMS. SSE-OBS features lower access latency and better performance than SSE-KMS.	Scenarios that users need to store and manage keys by themselves
Key management	KMS generates and keeps keys, and OBS uses the keys to encrypt objects.	OBS generates and keeps keys, and uses the keys to encrypt objects.	A user generates and keeps keys, and OBS uses the keys to encrypt objects.
Encryption algorithm	AES-256 and SM4	AES-256	AES-256
Encryption scope	Bucket level and object level	Bucket level and object level	Object level
Details	See SSE-KMS.	See SSE-OBS.	See SSE-C.

You can refer to the regions that support SSE-KMS on the console. If you want to use the SM4 encryption algorithm when enabling SSE-KMS, choose the CN North-Ulanqab1 region.
SSE-OBS is available on the entire Huawei Cloud Chinese Mainland website.
SSE-C is available in the regions where the SSE-C API is supported.

Constraints

Only one encryption method can be used each time an object is uploaded. The encryption configuration of an uploaded object cannot be changed.
To use SSE-KMS to encrypt a bucket or the objects in it, you must have kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, and kms:dek:crypto permissions granted by using IAM, so that you can upload objects to or download objects from this bucket.
If server-side encryption is disabled for a bucket, the encrypted objects can only be accessed over HTTPS.
A key in use cannot be deleted, or the object encrypted with this key cannot be downloaded.

Bucket-Level and Object-Level Server-Side Encryption

The following table compares bucket-level and object-level server-side encryption.

**Table 2** Comparison between bucket-level and object-level server-side encryption
Item	Bucket-Level Encryption	Object-Level Encryption
Scenarios	You need to encrypt all objects when they are uploaded to a bucket.	You need to encrypt only some objects or select an encryption method and key each time you upload an object.
Encryption methods	SSE-KMS and SSE-OBS	SSE-KMS, SSE-OBS, and SSE-C
Configuration	You can change your encryption configuration at any time.	You can configure encryption during object upload and the configuration cannot be changed after the upload.
Impacts	If encryption is not enabled for a bucket, you can separately configure encryption when uploading objects to the bucket. If encryption is enabled for a bucket, OBS only encrypts the objects uploaded after encryption is enabled, and does not encrypt those uploaded before. When you upload objects to this bucket, they will inherit the bucket's encryption by default, but you can change the configuration if needed. If you change the encryption configuration for a bucket, only the objects uploaded after the change will inherit the new configuration. Objects uploaded before the change will retain the original configuration. Disabling encryption for a bucket does not change the encryption status of existing objects in the bucket. However, objects uploaded later will not be forcibly encrypted. If necessary, you can manually encrypt subsequent objects when you upload them to the bucket.

References

You can use Cloud Trace Service (CTS) to monitor bucket encryption operations, including setBucketEncryption (which configures server-side encryption for a bucket) and deleteBucketEncryption (which deletes the bucket's server-side encryption settings). For more information, see Using CTS to Audit OBS.
You can enable logging for OBS to automatically log bucket encryption operations, including REST.PUT.ENCRYPTION (which configures encryption for a bucket), REST.GET.ENCRYPTION (which obtains the bucket's encryption settings), and REST.DELETE.ENCRYPTION (which deletes the bucket's encryption settings). OBS writes the generated log files to the specified bucket. For more information, see Using Logging to Record OBS Logs.