vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/api-ref/obs_04_0062.html
Jawei, Li f1cb839979 OBS api-ref 2.0.38.SP5 
Reviewed-by: gtema <artem.goncharov@gmail.com>
Co-authored-by: Jawei, Li <lijiawei5@huawei.com>
Co-committed-by: Jawei, Li <lijiawei5@huawei.com>
2022-11-03 11:54:51 +00:00

13 KiB
Raw Blame History

Configuring Bucket Encryption

Functions

OBS uses the PUT method to create or update the default server-side encryption for a bucket.

After encryption is enabled for a bucket, objects uploaded to the bucket are encrypted with the encryption configuration the bucket. Currently, it only supports the server-side encryption using keys hosted by KMS (SSE-KMS). For details about SSE-KMS, see Server-Side Encryption (SSE-KMS).

To perform this operation, you must have the permission to configure encryption for the bucket. By default, the bucket owner has this permission and can assign this permission to other users.

Request Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption  HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.example.com
Accept: */*
Date: date 
Authorization: authorization string
Content-Length: length

<ServerSideEncryptionConfiguration>
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
            <ProjectID>projectid</ProjectID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Request parameters

This request contains no parameter.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.

Table 1 Configuration elements of bucket encryption

Header

Description

Mandatory

ServerSideEncryptionConfiguration

Root element of the default encryption configuration of a bucket.

Type: element

Ancestor: none

Children: Rule

Yes

Rule

Sub-element of the default encryption configuration of a bucket.

Type: element

Root element: ServerSideEncryptionConfiguration

Sub-element: ApplyServerSideEncryptionByDefault

Yes

ApplyServerSideEncryptionByDefault

Sub-element of the default encryption configuration of a bucket.

Type: element

Ancestor: Rule

Children: SSEAlgorithm, KMSMasterKeyID

Yes

SSEAlgorithm

Server-side encryption algorithm used for the default encryption configuration of a bucket.

Type: string

Valid values: kms

Root element: ApplyServerSideEncryptionByDefault

Yes

KMSMasterKeyID

Customer master key (CMK) used in SSE-KMS encryption mode. If you do not specify this header, the default master key will be used.

Type: string

Valid value formats are as follows:

  1. regionID:domainID (account ID):key/key_id
  2. key_id

In the preceding formats:

  • regionID indicates the ID of the region where the key resides.
  • domainID indicates the ID of the account to which the key belongs. For details about how to obtain the domain ID, see Obtaining the Domain ID and User ID.
  • key_id indicates the ID of the key created inKMS.

Root element: ApplyServerSideEncryptionByDefault

No

ProjectID

ID of the project to which the KMS master key belongs in the SSE-KMS mode.

Type: string

Valid values:

  1. Project ID that matches KMSMasterKeyID.
  2. If KMSMasterKeyID is not specified, do not set the project ID.

Ancestor: ApplyServerSideEncryptionByDefault

No

Response Syntax

1
2
3
HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

The response to the request uses common headers. For details, see Table 1.

Response Elements

This response contains no element.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.example.com/doc/2015-06-30/">
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Sample Response

1
2
3
4
5
6
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0
Parent topic: Advanced Bucket Settings