Server-Side Encryption

Users can upload and download objects using server-side encryption. OBS supports server-side encryption.

Users can implement this function based on the key type to meet site requirements. OBS supports two server-side encryption modes: server-side encryption with KMS-managed keys (SSE-KMS) and server-side encryption with customer-provided keys (SSE-C).

In the SSE-KMS mode, OBS uses the keys provided by Key Management Service (KMS) for server-side encryption.

In the SSE-C mode, OBS uses the keys and MD5 values provided by customers for server-side encryption.

When server-side encryption is used, the returned ETag value is not the MD5 value of the object. When server-side encryption is used to upload an object, the server does not verify the imported Content-MD5 value.

SSE-KMS

In the SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS.

SSE-C

In the SSE-C mode, OBS uses the keys and MD5 values provided by customers for server-side encryption. OBS does not store your encryption keys. If you lose your encryption keys, you lose the objects. Six headers are added to support SSE-C in the SSE-C mode.

Registration