Configuring Bucket Encryption¶
Functions¶
OBS uses the PUT method to create or update the default server-side encryption for a bucket.
After you configure encryption for a bucket, objects uploaded to this bucket will be encrypted with the bucket encryption settings you specified. Currently, OBS supports server-side encryption with KMS-managed keys (SSE-KMS). For details, see Server-Side Encryption.
To perform this operation, you must have the PutEncryptionConfiguration permission. By default, the bucket owner has this permission and can grant it to others.
Request Syntax (SSE-KMS AES256)¶
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.example.com
Accept: */*
Date: date
Authorization: authorization string
Content-Length: length
<ServerSideEncryptionConfiguration>
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>kms</SSEAlgorithm>
<KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>
Request Parameters¶
This request contains no message parameters.
Request Headers¶
This request uses common headers. For details, see Table 3.
Request Elements¶
In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.
Header | Description | Mandatory |
---|---|---|
ServerSideEncryptionConfiguration | Root element of the default encryption configuration of a bucket. Type: container Parent: none Child: Rule | Yes |
Rule | Sub-element of the default encryption configuration of a bucket. Type: container Parent: ServerSideEncryptionConfiguration Child: ApplyServerSideEncryptionByDefault | Yes |
ApplyServerSideEncryptionByDefault | Sub-element of the default encryption configuration of a bucket. Type: container Parent: Rule Child: SSEAlgorithm and KMSMasterKeyID | Yes |
SSEAlgorithm | Server-side encryption algorithm used for the default encryption configuration of a bucket. Type: string Value options:
Parent: ApplyServerSideEncryptionByDefault | Yes |
KMSMasterKeyID | Customer master key (CMK) used in SSE-KMS encryption mode. If you do not specify this header, the default master key will be used. Type: string Valid value formats are as follows:
In the preceding formats:
Parent: ApplyServerSideEncryptionByDefault | No |
ProjectID | ID of the project where the KMS master key belongs when SSE-KMS is used. If the project is not the default one, you must use this parameter to specify the project ID. Type: string Value options:
Parent: ApplyServerSideEncryptionByDefault Note When a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects. | No |
Response Syntax¶
HTTP/1.1 status_code
Date: date
Content-Length: length
Response Headers¶
The response to the request uses common headers. For details, see Table 1.
Response Elements¶
This response contains no elements.
Error Responses¶
No special error responses are returned. For details about error responses, see Table 2.
Sample Request (SSE-KMS AES256)¶
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date: Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServerSideEncryptionConfiguration xmlns="http://obs.region.example.com/doc/2015-06-30/">
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>kms</SSEAlgorithm>
<KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>
Sample Response (SSE-KMS AES256)¶
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0