In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS.

Two headers are added to support SSE-KMS in SSE-KMS mode.


Indicates that SSE-KMS is used. Objects are encrypted using SSE-KMS.




Indicates the master key ID of an encrypted object. This header is used in SSE-KMS mode. If the customer does not provide the master key, the default master key will be used.



Table 1 Interfaces to which the newly added headers apply


PUT Object

POST Object

PUT Object - Copy (the newly added headers apply to target objects)

Initiate Multipart Upload

OBS supports bucket policies. You can use a bucket policy to implement server-side encryption on all the objects stored in a bucket. For example, a tenant's object upload request does not contain the header x-amz-server-side-encryption:"aws:kms" for server-side encryption (SSE-KMS), the following bucket policy will reject the upload request.