Uploading a File with Server-Side Encryption¶
OBS allows you to encrypt objects on the server side so that the objects can be securely stored in OBS.
Prerequisites¶
The KMS Administrator permission has been granted for the region where OBS is deployed. For details, see the Identity and Access Management User Guide.
Note
A custom KMS Policy with a minimum required set of allowed actions for users to be able to upload and download objects with Server-Side Encryption is:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:dek:crypto",
"kms:dek:create",
"kms:cmk:get",
"kms:cmk:list",
"kms:cmk:generate",
"kms:cmk:crypto"
]
}
]
}
Procedure¶
Log in to OBS Browser.
In the upper right corner on the page, click .
Choose System Configuration > General. For details, see Figure 1.
Select Enable HTTPS and Enable KMS encryption.
Click Save.
Verify the encryption status.
After HTTPS and KMS encryption are enabled, all objects uploaded to OBS will be encrypted with keys provided by KMS. By default, the key obs/default is used for encryption.
After objects are uploaded, click on the right of the object list. In the Properties dialog box that is displayed, you can view the object encryption status. Yes indicates that server-side encryption has been implemented for the object. No indicates that server-side encryption has not been implemented for the object. The object encryption status cannot be changed.
Note
To enable KMS encryption, you must enable HTTPS. Therefore, if you deselect Enable HTTPS, Enable KMS encryption will be deselected accordingly.
Note
Server-side encryption does not support HTTP. To use server-side encryption, enable HTTPS.
A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.