vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/api-ref/obs_04_0106.html
zhangyue 7d2a7ec198 OBS API DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-11-05 16:37:11 +00:00

234 lines
18 KiB
HTML
Raw Permalink Blame History

<a name="obs_04_0106"></a><a name="obs_04_0106"></a>
<h1 class="topictitle1">SSE-KMS</h1>
<div id="body16036338"><div class="section" id="obs_04_0106__section372413345714"><h4 class="sectiontitle">Functions</h4><p id="obs_04_0106__p4369353574">With SSE-KMS, OBS uses the keys provided by Key Management Service (KMS) for server-side encryption. You can create custom keys on KMS to encrypt your objects. If you do not specify a key, OBS creates a default key the first time you upload an object to the bucket. Custom keys or default keys are used to encrypt and decrypt data encryption keys (DEKs).</p>
</div>
<div class="note" id="obs_04_0106__note1931016165353"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_04_0106__p2310616143516">When a custom KMS key in a non-default IAM project is used to encrypt objects, only the key owner can upload or download the encrypted objects.</p>
<p id="obs_04_0106__p54811949172617">When the default KMS key in a region is used to encrypt an object, this default key belongs to the object owner. Only the key owner (also the object owner) can upload or download this object.</p>
</div></div>
<div class="section" id="obs_04_0106__section1132124805718"><h4 class="sectiontitle">Newly Added Headers</h4><p id="obs_04_0106__p18132167195916">Two headers are added for SSE-KMS. You can configure the headers listed in <a href="#obs_04_0106__table173131815497">Table 1</a> to use SSE-KMS.</p>
</div>
<p id="obs_04_0106__p519816300425">You can also configure the default encryption for a bucket to encrypt objects you upload to the bucket. After default encryption is enabled for a bucket, any object upload request without encryption header included will inherit the bucket's encryption settings. For details, see <a href="obs_04_0062.html">Configuring Bucket Encryption</a>.</p>
<div class="tablenoborder"><a name="obs_04_0106__table173131815497"></a><a name="table173131815497"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_04_0106__table173131815497" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Headers used in SSE-KMS</caption><thead align="left"><tr id="obs_04_0106__row531918164910"><th align="left" class="cellrowborder" valign="top" width="35.36%" id="mcps1.3.5.2.4.1.1"><p id="obs_04_0106__p1231818124914"><strong id="obs_04_0106__b55957155619">Header</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.4%" id="mcps1.3.5.2.4.1.2"><p id="obs_04_0106__p202661227154913"><strong id="obs_04_0106__b1959515175611">Type</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="46.239999999999995%" id="mcps1.3.5.2.4.1.3"><p id="obs_04_0106__p18311189491">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_04_0106__row1333189493"><td class="cellrowborder" valign="top" width="35.36%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_04_0106__p1131118154913">x-obs-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" width="18.4%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_04_0106__p42669278493">String</p>
</td>
<td class="cellrowborder" valign="top" width="46.239999999999995%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_04_0106__p7134184955020"><strong id="obs_04_0106__b112951647783845">Explanation</strong>:</p>
<p id="obs_04_0106__p43151819496">Indicates that SSE-KMS is used for server-side encryption.</p>
<p id="obs_04_0106__p11315187494">Example: <strong id="obs_04_0106__b1945544762">x-obs-server-side-encryption:kms</strong></p>
<p id="obs_04_0106__p143311189369"><strong id="obs_04_0106__b1333101810365">Restrictions</strong>:</p>
<p id="obs_04_0106__p13332018103617">None</p>
<p id="obs_04_0106__p633111883619"><strong id="obs_04_0106__b1233718173611">Value range</strong>:</p>
<ul id="obs_04_0106__ul1477842216363"><li id="obs_04_0106__li1778132273614">kms</li><li id="obs_04_0106__li10778142214364">AES256</li></ul>
<p id="obs_04_0106__p17331118163611"><strong id="obs_04_0106__b133101817366">Default value</strong>:</p>
<p id="obs_04_0106__p933418153615">kms</p>
</td>
</tr>
<tr id="obs_04_0106__row7381804910"><td class="cellrowborder" valign="top" width="35.36%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_04_0106__p03161816496">x-obs-server-side-encryption-kms-key-id</p>
</td>
<td class="cellrowborder" valign="top" width="18.4%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_04_0106__p1426616279495">String</p>
</td>
<td class="cellrowborder" valign="top" width="46.239999999999995%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_04_0106__p15342554192512"><strong id="obs_04_0106__b112743984713">Explanation</strong>:</p>
<p id="obs_04_0106__p103422054142518">ID of a specified key used for SSE-KMS encryption.</p>
<p id="obs_04_0106__p4342185415257"><strong id="obs_04_0106__b1813193350">Restrictions</strong>:</p>
<p id="obs_04_0106__p6342125462513">This header can only be used when you specify <strong id="obs_04_0106__b14059036583657">kms</strong> for the <strong id="obs_04_0106__b13081973103657">x-obs-server-side-encryption</strong> header.</p>
<p id="obs_04_0106__p23421754102514"><strong id="obs_04_0106__b221978884">Default value</strong>:</p>
<p id="obs_04_0106__p93428548259">If you specify <strong id="obs_04_0106__b12396748403657">kms</strong> for encryption but do not specify a key ID, the default master key will be used. If there is not a default master key, OBS will create one and use it.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="obs_04_0106__section8313163616591"><h4 class="sectiontitle">APIs Where SSE-KMS Headers Apply</h4><p id="obs_04_0106__p137981337145919">You can configure headers about SSE-KMS in the APIs below:</p>
</div>
<ul id="obs_04_0106__ul1089312894017"><li id="obs_04_0106__li11893828124011"><a href="obs_04_0080.html">Uploading Objects - PUT</a></li><li id="obs_04_0106__li199153364018"><a href="obs_04_0081.html">Uploading Objects - POST</a>: <strong id="obs_04_0106__b17762122261613">x-obs-server-side-encryption</strong> and <strong id="obs_04_0106__b10762142271611">x-obs-server-side-encryption-kms-key-id</strong> need to be placed in the form instead of headers.</li><li id="obs_04_0106__li346584174016"><a href="obs_04_0082.html">Copying Objects</a> (The newly added headers apply to object copies.)</li><li id="obs_04_0106__li14715452407"><a href="obs_04_0098.html">Initiating a Multipart Upload</a></li></ul>
<p class="msonormal" id="obs_04_0106__p2485625">You can configure a bucket policy to restrict the request headers for a specified bucket. For example, if you require that object upload requests do not contain header <strong id="obs_04_0106__b391218137234">x-obs-server-side-encryption:"kms"</strong>, you can use the following bucket policy:</p>
<pre class="screen" id="obs_04_0106__screen94371953152811">{
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "PutObject",
"Resource": "YourBucket/*",
"Condition": {
"StringNotEquals": {
"x-obs-server-side-encryption": "kms"
}
}
}
]
}</pre>
<div class="section" id="obs_04_0106__section9676048111413"><h4 class="sectiontitle">Sample Request: Using the Default Key to Encrypt an Object</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen12170059121415"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/encryp1<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:21<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU=
x-obs-server-side-encryption:kms
Content-Length:<span class="w"> </span>5242
Expect:<span class="w"> </span>100-continue
[5242<span class="w"> </span>Byte<span class="w"> </span>object<span class="w"> </span>contents]
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section5769165793118"><h4 class="sectiontitle">Sample Response: Using the Default Key to Encrypt an Object</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen5984113413813"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>8DF400000163D45AA81D038B6AE4C482
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:21<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1066121573210"><h4 class="sectiontitle">Sample Request: Using a Custom Key to Encrypt an Object</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen7738192910337"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/encryp1<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:50<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:f3/PWjkXYTYGs5lPOctTNEI2QENU=
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
Content-Length:<span class="w"> </span>5242
Expect:<span class="w"> </span>100-continue
[5242<span class="w"> </span>Byte<span class="w"> </span>object<span class="w"> </span>contents]
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section3936203519339"><h4 class="sectiontitle">Sample Response: Using a Custom Key to Encrypt an Object</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen2869549153312"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>8DF400000163D45AA81D038B6AE4C482
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
x-obs-id-2:<span class="w"> </span>32AAAUJAIAABAdiAEAABA09AEAABCTv7cHmAn12BAG83ibUsiET5eqlCqg
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:50<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1354925617332"><h4 class="sectiontitle">Sample Request: Using a Key to Encrypt an Object Copy</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen18745619263"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/destobject<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI=
x-obs-copy-source:<span class="w"> </span>/bucket/srcobject1
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1665573753412"><h4 class="sectiontitle">Sample Response: Using a Key to Encrypt an Object Copy</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen197111541289"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>BB78000001648480AF3900CED7F15155
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section9689143461811"><h4 class="sectiontitle">Sample Request: Uploading an Encrypted Object Using a Signed URL</h4><pre class="screen" id="obs_04_0106__screen769113410187">PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&amp;Expires=1534152518&amp;x-obs-server-side-encryption=kms&amp;Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.<em id="obs_04_0106__i1637281810296">region</em>.example.com
Accept: */*
Date: Wed, 06 Jun 2018 09:10:29 GMT</pre>
</div>
<div class="section" id="obs_04_0106__section1970120340184"><h4 class="sectiontitle">Sample Response: Uploading an Encrypted Object Using a Signed URL</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen0701123413180"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>BB78000001648480AF3900CED7F15155
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_04_0104.html">Server-Side Encryption</a></div>
</div>
</div>
View Git Blame Copy Permalink