OBS uses the PUT method to create or update the default server-side encryption for a bucket.
After encryption is enabled for a bucket, objects uploaded to the bucket are encrypted with the encryption configuration the bucket. Currently, it only supports the server-side encryption using keys hosted by KMS (SSE-KMS). For details about SSE-KMS, see Server-Side Encryption (SSE-KMS).
To perform this operation, you must have the permission to configure encryption for the bucket. By default, the bucket owner has this permission and can assign this permission to other users.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.example.com Accept: */* Date: date Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
This request contains no message parameters.
This request uses common headers. For details, see Table 3.
In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.
Header |
Description |
Mandatory |
|---|---|---|
ServerSideEncryptionConfiguration |
Root element of the default encryption configuration of a bucket. Type: container Ancestor: none Children: Rule |
Yes |
Rule |
Sub-element of the default encryption configuration of a bucket. Type: container Ancestor: ServerSideEncryptionConfiguration Children: ApplyServerSideEncryptionByDefault |
Yes |
ApplyServerSideEncryptionByDefault |
Sub-element of the default encryption configuration of a bucket. Type: container Ancestor: Rule Children: SSEAlgorithm, KMSMasterKeyID |
Yes |
SSEAlgorithm |
Server-side encryption algorithm used for the default encryption configuration of a bucket. Type: string Value options: kms Ancestor: ApplyServerSideEncryptionByDefault |
Yes |
KMSMasterKeyID |
Customer master key (CMK) used in SSE-KMS encryption mode. If you do not specify this header, the default master key will be used. Type: string Valid value formats are as follows:
In the preceding formats:
Ancestor: ApplyServerSideEncryptionByDefault |
No |
ProjectID |
ID of the project where the KMS master key belongs when SSE-KMS is used. If the project is not the default one, you must use this parameter to specify the project ID. Type: string Value options:
Ancestor: ApplyServerSideEncryptionByDefault NOTE:
When a custom key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects. |
No |
1 2 3 | HTTP/1.1 status_code Date: date Content-Length: length |
The response to the request uses common headers. For details, see Table 1.
This response contains no element.
No special error responses are returned. For details about error responses, see Table 2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.example.com Accept: */* Date: Thu, 21 Feb 2019 03:05:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI= Content-Length: 778 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ServerSideEncryptionConfiguration xmlns="http://obs.region.example.com/doc/2015-06-30/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
1 2 3 4 5 6 | HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643670AC06E7B9A7767921 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm Date: Thu, 21 Feb 2019 03:05:34 GMT Content-Length: 0 |