vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/api-ref/obs_04_0062.html
zhangyue f61b26432c OBS API DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-07-25 08:23:43 +00:00

16 KiB
Raw Blame History

Configuring Bucket Encryption

Functions

OBS uses the PUT method to create or update the default server-side encryption for a bucket.

After encryption is enabled for a bucket, objects uploaded to the bucket are encrypted with the encryption configuration the bucket. Currently, it only supports the server-side encryption using keys hosted by KMS (SSE-KMS). For details about SSE-KMS, see Server-Side Encryption (SSE-KMS).

To perform this operation, you must have the permission to configure encryption for the bucket. By default, the bucket owner has this permission and can assign this permission to other users.

Request Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption  HTTP/1.1
User-Agent: curl/7.29.0
Host: bucketname.obs.region.example.com
Accept: */*
Date: date 
Authorization: authorization string
Content-Length: length

<ServerSideEncryptionConfiguration>
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID>
            <ProjectID>projectid</ProjectID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Request parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.

Table 1 Configuration elements of bucket encryption

Header

Description

Mandatory

ServerSideEncryptionConfiguration

Root element of the default encryption configuration of a bucket.

Type: container

Ancestor: none

Children: Rule

Yes

Rule

Sub-element of the default encryption configuration of a bucket.

Type: container

Ancestor: ServerSideEncryptionConfiguration

Children: ApplyServerSideEncryptionByDefault

Yes

ApplyServerSideEncryptionByDefault

Sub-element of the default encryption configuration of a bucket.

Type: container

Ancestor: Rule

Children: SSEAlgorithm, KMSMasterKeyID

Yes

SSEAlgorithm

Server-side encryption algorithm used for the default encryption configuration of a bucket.

Type: string

Value options: kms

Ancestor: ApplyServerSideEncryptionByDefault

Yes

KMSMasterKeyID

Customer master key (CMK) used in SSE-KMS encryption mode. If you do not specify this header, the default master key will be used.

Type: string

Valid value formats are as follows:

  1. regionID:domainID (account ID):key/key_id
  2. key_id

In the preceding formats:

  • regionID indicates the ID of the region where the key resides.
  • domainID indicates the ID of the domain to which the key belongs. For details, see Obtaining the Domain ID and User ID.
  • key_id indicates the ID of the key created inKMS.

Ancestor: ApplyServerSideEncryptionByDefault

No

ProjectID

ID of the project to which the KMS master key belongs in the SSE-KMS mode.

Type: string

Value options:

  1. Project ID that matches KMSMasterKeyID.
  2. If KMSMasterKeyID is not specified, do not set the project ID.

Ancestor: ApplyServerSideEncryptionByDefault

No

Response Syntax

1
2
3
HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

The response to the request uses common headers. For details, see Table 1.

Response Elements

This response contains no element.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?encryption HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date:  Thu, 21 Feb 2019 03:05:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI=
Content-Length: 778

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<ServerSideEncryptionConfiguration xmlns="http://obs.region.example.com/doc/2015-06-30/">
    <Rule>
        <ApplyServerSideEncryptionByDefault>
            <SSEAlgorithm>kms</SSEAlgorithm>
            <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID>
        </ApplyServerSideEncryptionByDefault>
    </Rule>
</ServerSideEncryptionConfiguration>

Sample Response

1
2
3
4
5
6
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643670AC06E7B9A7767921
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm
Date: Thu, 21 Feb 2019 03:05:34 GMT
Content-Length: 0
Parent topic: Advanced Bucket Settings