youjiageng1/doc-exports
1
0
Fork 0
forked from laiweijian4/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/api-ref/obs_04_0106.html
zhangyue d84e24d182 OBS API doc 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-03-03 09:35:22 +00:00

228 lines
17 KiB
HTML
Raw Blame History

<a name="obs_04_0106"></a><a name="obs_04_0106"></a>
<h1 class="topictitle1">Server-Side Encryption (SSE-KMS)</h1>
<div id="body16036338"><p class="msonormal" id="obs_04_0106__p13000739">In the SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS.</p>
<p class="msonormal" id="obs_04_0106__p49897791">Two headers are added to support SSE-KMS in SSE-KMS mode. </p>
<p id="obs_04_0106__p519816300425">You can also configure the default encryption method for a bucket to encrypt objects in the bucket. When default encryption is enabled for a bucket, any request for uploading objects without specified encryption header will trigger the default bucket encryption for the objects uploaded. For more information about bucket encryption configuration, see <a href="obs_04_0062.html">Configuring Bucket Encryption</a>.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_04_0106__table1716921114398" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Header fields used in SSE-KMS mode</caption><thead align="left"><tr id="obs_04_0106__row17170311133917"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.4.2.3.1.1"><p id="obs_04_0106__p17170131112393">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.4.2.3.1.2"><p id="obs_04_0106__p5170161123920">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_04_0106__row21701119392"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.4.2.3.1.1 "><p id="obs_04_0106__p10565331133917">x-obs-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.4.2.3.1.2 "><p id="obs_04_0106__p11565431143913">Indicates that SSE-KMS is used. Objects are encrypted using SSE-KMS. </p>
<p id="obs_04_0106__p8363154416375">Type: string</p>
<p id="obs_04_0106__p12566173111399">Example: <strong id="obs_04_0106__b88315133421">x-obs-server-side-encryption:kms</strong></p>
</td>
</tr>
<tr id="obs_04_0106__row11701119396"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.4.2.3.1.1 "><p id="obs_04_0106__p125672313392">x-obs-server-side-encryption-kms-key-id</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.4.2.3.1.2 "><p id="obs_04_0106__p456853193912">Indicates the master key ID of an encrypted object. This header is used in SSE-KMS mode. If the customer does not provide the master key ID, the default master key ID will be used. </p>
<p id="obs_04_0106__p12882047173716">Type: string</p>
<p id="obs_04_0106__p6679135313114">The following two formats are supported:</p>
<p id="obs_04_0106__p73846412422">1. <em id="obs_04_0106__i127881153551">regionID</em><strong id="obs_04_0106__b879425318512">:</strong><em id="obs_04_0106__i679417531251">domainID</em><strong id="obs_04_0106__b14794153355">:key/</strong><em id="obs_04_0106__i11794553452">key_id</em></p>
<p id="obs_04_0106__p090816596123">2. <em id="obs_04_0106__i1154013217917">key_id</em></p>
<p id="obs_04_0106__p558627121315"><strong id="obs_04_0106__b13592102615307">regionID</strong> is the ID of the region to which the key belongs. <strong id="obs_04_0106__b55975266303">domainID</strong> is the account ID of the tenant to which the key belongs. <strong id="obs_04_0106__b6597182623014">key_id</strong> is the key ID created inKMS.</p>
<p id="obs_04_0106__p17830152818144">Example:</p>
<p id="obs_04_0106__p132071653307">1. x-obs-server-side-encryption-kms-key-id:<em id="obs_04_0106__i20391163365816">region</em>:domainiddomainiddomainiddoma0001:key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0</p>
<p id="obs_04_0106__p6207145314012">2. x-obs-server-side-encryption-kms-key-id:4f1cd4de-ab64-4807-920a-47fc42e7f0d0</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_04_0106__p892114109406">API operations to which the newly added headers apply:</p>
<ul id="obs_04_0106__ul1089312894017"><li id="obs_04_0106__li11893828124011">PUT operation for uploading objects</li><li id="obs_04_0106__li199153364018">POST operation for uploading objects (<strong id="obs_04_0106__b07671745717">x-obs-server-side-encryption</strong> and <strong id="obs_04_0106__b28216174571">x-obs-server-side-encryption-kms-key-id</strong> need to be placed in the form instead of the header)</li><li id="obs_04_0106__li346584174016">PutObject-Copy (the newly added headers apply to target objects)</li><li id="obs_04_0106__li14715452407">API operations for initiating a multipart upload task</li></ul>
<p class="msonormal" id="obs_04_0106__p2485625">OBS supports bucket policies. You can use a bucket policy to implement server-side encryption on all the objects stored in a bucket. For example, a tenant's object upload request does not contain the header <strong id="obs_04_0106__b842352706101748">x-obs-server-side-encryption:"kms"</strong> for server-side encryption (SSE-KMS), the following bucket policy will reject the upload request.</p>
<pre class="screen" id="obs_04_0106__screen113981164110">{
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"PutObject",
"Resource":"YourBucket/*",
"Condition":{
"StringNotEquals":{
"x-obs-server-side-encryption":"kms"
}
}
}
}</pre>
<div class="section" id="obs_04_0106__section9676048111413"><h4 class="sectiontitle">Sample Request 1</h4><p id="obs_04_0106__p174616015512"><strong id="obs_04_0106__b127822074312">Use the default key to encrypt the uploaded object</strong>.</p>
<div class="codecoloring" codetype="Xml" id="obs_04_0106__screen12170059121415"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/encryp1<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:21<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:f3/7eS6MFbW3JO4+7I5AtyAQENU=
x-obs-server-side-encryption:kms
Content-Length:<span class="w"> </span>5242
Expect:<span class="w"> </span>100-continue
[5242<span class="w"> </span>Byte<span class="w"> </span>object<span class="w"> </span>contents]
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section5769165793118"><h4 class="sectiontitle">Sample Response 1</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen5984113413813"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>8DF400000163D45AA81D038B6AE4C482
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTv7cHmAnGfBAGXUHeibUsiETTNqlCqC
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:21<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1066121573210"><h4 class="sectiontitle">Sample Request 2</h4><p id="obs_04_0106__p76621220183219"><strong id="obs_04_0106__b152213487438">Use a specified key to encrypt the uploaded object</strong>.</p>
</div>
<div class="codecoloring" codetype="Xml" id="obs_04_0106__screen7738192910337"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/encryp1<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:50<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:f3/PWjkXYTYGs5lPOctTNEI2QENU=
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
Content-Length:<span class="w"> </span>5242
Expect:<span class="w"> </span>100-continue
[5242<span class="w"> </span>Byte<span class="w"> </span>object<span class="w"> </span>contents]
</pre></div></td></tr></table></div>
</div>
<div class="section" id="obs_04_0106__section3936203519339"><h4 class="sectiontitle">Sample Response 2</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen2869549153312"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>8DF400000163D45AA81D038B6AE4C482
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-43a7-a7d1-ab21f498482d
x-obs-id-2:<span class="w"> </span>32AAAUJAIAABAdiAEAABA09AEAABCTv7cHmAn12BAG83ibUsiET5eqlCqg
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:08:50<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1354925617332"><h4 class="sectiontitle">Sample Request 3</h4><p id="obs_04_0106__p77811115349"><strong id="obs_04_0106__b18397122153320">Copy a common object and save it as an encrypted object by encrypting it using a specified key.</strong></p>
<div class="codecoloring" codetype="Xml" id="obs_04_0106__screen18745619263"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>PUT<span class="w"> </span>/destobject<span class="w"> </span>HTTP/1.1
User-Agent:<span class="w"> </span>curl/7.29.0
Host:<span class="w"> </span>examplebucket.obs.region.example.com
x-obs-server-side-encryption:kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
Accept:<span class="w"> </span>*/*
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Authorization:<span class="w"> </span>OBS<span class="w"> </span>H4IPJX0TQTHTHEBQQCEC:SH3uTrElaGWarVI1uTq325kTVCI=
x-obs-copy-source:<span class="w"> </span>/bucket/srcobject1
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section1665573753412"><h4 class="sectiontitle">Sample Response 3</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen197111541289"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>BB78000001648480AF3900CED7F15155
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
<div class="section" id="obs_04_0106__section9689143461811"><h4 class="sectiontitle">Sample Request 4</h4><p id="obs_04_0106__p1519105818399"><strong id="obs_04_0106__b158479716339">Carry the signature in the URL and upload the encrypted object.</strong></p>
<pre class="screen" id="obs_04_0106__screen769113410187">PUT /destobject?AccessKeyId=UI3SN1SRUQE14OYBKTZB&amp;Expires=1534152518&amp;x-obs-server-side-encryption=kms&amp;Signature=chvmG7%2FDA%2FDCQmTRJu3xngldJpg%3D HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.<em id="obs_04_0106__i1637281810296">region</em>.example.com
Accept: */*
Date: Wed, 06 Jun 2018 09:10:29 GMT</pre>
</div>
<div class="section" id="obs_04_0106__section1970120340184"><h4 class="sectiontitle">Sample Response 4</h4><div class="codecoloring" codetype="Xml" id="obs_04_0106__screen0701123413180"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span>
<span class="normal">5</span>
<span class="normal">6</span>
<span class="normal">7</span>
<span class="normal">8</span>
<span class="normal">9</span></pre></div></td><td class="code"><div><pre><span></span>HTTP/1.1<span class="w"> </span>200<span class="w"> </span>OK
Server:<span class="w"> </span>OBS
x-obs-request-id:<span class="w"> </span>BB78000001648480AF3900CED7F15155
ETag:<span class="w"> </span>&quot;d8bffdfbab5345d91ac05141789d2477&quot;
x-obs-server-side-encryption:<span class="w"> </span>kms
x-obs-server-side-encryption-kms-key-id:<span class="w"> </span>region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdb
x-obs-id-2:<span class="w"> </span>oRAXhgwdaLc9wKVHqTLSmQB7I35D+32AAAUJAIAABAAAQAAEAABAAAQAAEAABCS
Date:<span class="w"> </span>Wed,<span class="w"> </span>06<span class="w"> </span>Jun<span class="w"> </span>2018<span class="w"> </span>09:10:29<span class="w"> </span>GMT
Content-Length:<span class="w"> </span>0
</pre></div></td></tr></table></div>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_04_0104.html">Server-Side Encryption</a></div>
</div>
</div>
View Git Blame Copy Permalink