yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
main
doc-exports/docs/obs/umn/obs_03_0322.html
weihongmin1 cd7925dbd2 OBS UMN 1210 Version 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: weihongmin1 <weihongmin1@huawei.com>
Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
2025-12-10 14:10:07 +00:00

5.0 KiB
Raw Permalink Blame History

Enabling Server-Side Encryption When Uploading an Object

OBS allows you to encrypt objects with server-side encryption so that the objects can be securely stored in OBS.

When you upload an object to a bucket with server-side encryption disabled, you can separately configure server-side encryption for the object. If the bucket has server-side encryption enabled, the object you upload inherits encryption from the bucket by default. You can also configure new encryption for the object.

Constraints

  • The object encryption status cannot be changed.
  • A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
  • Objects encrypted on the server side cannot be shared.

Prerequisites

In the region where OBS is deployed, the KMS Administrator permission has been added to the user group. For details about how to add permissions, see the IAM User Guide.

A custom KMS Policy with a minimum required set of allowed actions for users to be able to upload and download objects with Server-Side Encryption is:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:dek:crypto",
                "kms:dek:create",
                "kms:cmk:get",
                "kms:cmk:list",
                "kms:cmk:generate",
                "kms:cmk:crypto"
            ]
        }
    ]
}

Procedure

  1. In the bucket list, click the bucket you want to operate to go to the Objects page.
  2. Click Upload Object. The Upload Object dialog box is displayed.
  3. Add the files to be uploaded.
  4. Choose SSE-KMS. You can select the default key in the current region to encrypt the objects you upload to the bucket. If you do not have a default key, OBS automatically creates one the first time you upload an object. You can also choose Custom to use a custom key for encryption. If there is no custom key available, click Create KMS Key to create one on the KMS console. Then, go back here and choose the created key from the drop-down list.

    If the bucket has server-side encryption configured, the object you upload will inherit encryption from the bucket by default.

    Figure 1 Encrypting an object to be uploaded

  5. Click Upload.

    After the object is uploaded, you can view its encryption status on its details page.

Parent topic: Server-Side Encryption
<script language="JavaScript"> </script>