OBS allows you to encrypt objects on the server side so that the objects can be securely stored in OBS.
Prerequisites
The KMS Administrator permission has been granted for the region where OBS is deployed. For details, see the Identity and Access Management User Guide.
A custom KMS Policy with a minimum required set of allowed actions for users to be able to upload and download objects with Server-Side Encryption is:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:dek:crypto",
"kms:dek:create",
"kms:cmk:get",
"kms:cmk:list",
"kms:cmk:generate",
"kms:cmk:crypto"
]
}
]
}
Procedure
- Log in to OBS Browser.
- In the upper right corner on the page, click
. - Choose System Configuration > General. For details, see Figure 1.
- Select Enable HTTPS and Enable KMS encryption.
- Click Save.
- Verify the encryption status.
After HTTPS and KMS encryption are enabled, objects uploaded to OBS are encrypted with keys provided by KMS. By default, the key obs/default is used for encryption.
After objects are uploaded, click
on the right of the object list. In the Properties dialog box that is displayed, you can view the object encryption status. Yes indicates that server-side encryption has been implemented for the object. No indicates that server-side encryption has not been implemented for the object. The object encryption status cannot be changed. HTTPS must be enabled when you enable KMS encryption to upload objects. Therefore, if you deselect Enable HTTPS, Enable KMS encryption is deselected automatically.
Figure 2 Encryption status
- Server-side encryption does not support HTTP. To use server-side encryption, enable HTTPS.
- A key in use cannot be deleted. Otherwise, the object encrypted with this key cannot be downloaded.
