• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. API Reference (OBS)
  4. OBS REST APIs
  5. Server-Side Encryption
  6. SSE-C

SSE-C

In SSE-C mode, OBS uses the keys and MD5 values provided by customers for server-side encryption.

OBS does not store your encryption keys. If you lost your encryption keys, you lost the objects. Six headers are added to support SSE-C.

Table 1 lists headers that are mandatory when you use SSE-C to encrypt objects.

Table 1 Mandatory headers in SSE-C mode

Header

Description

x-amz-server-side-encryption-customer-algorithm

Indicates the algorithm used to encrypt an object. The header is used in SSE-C mode.

Example:

x-amz-server-side-encryption-customer-algorithm:AES256

x-amz-server-side-encryption-customer-key

Indicates the key used to encrypt an object. The header is used in SSE-C mode.

Example:

x-amz-server-side-encryption-customer-key:K7QkYpBkM5+hcs27fsNkUnNVaobncnLht/rCB2o/9Cw=

x-amz-server-side-encryption-customer-key-MD5

Indicates the MD5 value of the key used to encrypt an object. The header is used in SSE-C mode. The MD5 value is used to check whether any error occurs during the transmission of the key.

Example:

x-amz-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ==

Table 2 Interfaces to which the newly added headers apply

Interface

PUT Object

POST Object

PUT Object - Copy (the newly added headers apply to target objects)

HEAD Object

GET Object

Initiate Multipart Upload

Upload Part

Upload Part - Copy (the newly added headers apply to target parts)

Table 3 lists three headers that are added for PUT Object - Copy and Upload Part - Copy interfaces to support source objects encrypted using SSE-C.

Table 3 Headers

Header

Description

x-amz-copy-source-server-side-encryption-customer-algorithm

Indicates the algorithm used to decrypt a source object. The header is used in SSE-C mode.

Example: x-amz-copy-source-server-side-encryption-customer-algorithm:AES256

x-amz-copy-source-server-side-encryption-customer-key

Indicates the key used to decrypt a source object. The header is used in SSE-C mode.

Example:

x-amz-copy-source-server-side-encryption-customer-key:K7QkYpBkM5+hcs27fsNkUnNVaobncnLht/rCB2o/9Cw=

x-amz-copy-source-server-side-encryption-customer-key-MD5

Indicates the MD5 value of the key used to decrypt a source object. The header is used in SSE-C mode. The MD5 value is used to check whether any error occurs during the transmission of the key.

Example:

x-amz-copy-source-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ==