SSE-OBS
Functions
With SSE-OBS, OBS uses the keys provided by itself for server-side encryption. Unlike SSE-KMS where KMS manages keys, in SSE-OBS, OBS manages keys.
Newly Added Headers
Use the header listed in Table 1 to implement SSE-OBS.
You can also configure the default encryption for a bucket to encrypt objects you upload to the bucket. After default encryption is enabled for a bucket, any object upload request without encryption header included will inherit the bucket's encryption settings. For details, see Configuring Bucket Encryption.
APIs Where SSE-OBS Headers Apply
You can configure headers about SSE-OBS in the APIs below:
- Uploading Objects - PUT
- Uploading Objects - POST (x-obs-server-side-encryption should be put in the form, instead of the header.)
- Copying Objects (The newly added headers apply to object copies.)
- Initiating a Multipart Upload
You can configure a bucket policy to restrict the request headers for a specified bucket. For example, if you require that object upload requests do not contain header x-obs-server-side-encryption:"AES256", you can use the following bucket policy:
{
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "PutObject",
"Resource": "YourBucket/*",
"Condition": {
"StringNotEquals": {
"x-obs-server-side-encryption": "AES256"
}
}
}
]
}
Sample Request: Using the Default Key to Encrypt an Object
PUT /encryp1 HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu Accept: */* Date: Wed, 06 Jun 2018 09:08:21 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU= x-obs-server-side-encryption:AES256 Content-Length: 5242 Expect: 100-continue [5242 Byte object contents]
Sample Response: Using the Default Key to Encrypt an Object
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D45AA81D038B6AE4C482 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: AES256 x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC Date: Wed, 06 Jun 2018 09:08:21 GMT Content-Length: 0
Sample Request: Copying an Object as an Encrypted Object
PUT /destobject HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu x-obs-server-side-encryption:AES256 Accept: */* Date: Wed, 06 Jun 2018 09:10:29 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI= x-obs-copy-source: /bucket/srcobject1
Sample Response: Copying an Object as an Encrypted Object
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB78000001648480AF3900CED7F15155 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: AES256 x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS Date: Wed, 06 Jun 2018 09:10:29 GMT Content-Length: 0
Sample Request: Uploading an Encrypted Object Using a Signed URL
PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&Expires=1534152518&x-obs-server-side-encryption=AES256&Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.eu Accept: */* Date: Wed, 06 Jun 2018 09:10:29 GMT
Sample Response: Uploading an Encrypted Object Using a Signed URL
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BB78000001648480AF3900CED7F15155 ETag: "d8bffdfbab5345d91ac05141789d2477" x-obs-server-side-encryption: AES256 x-obs-id-2: oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS Date: Wed, 06 Jun 2018 09:10:29 GMT Content-Length: 0
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
