SSE-C
Functions
With SSE-C used, OBS uses the keys and MD5 values provided by customers for server-side encryption.
Newly Added Headers
OBS does not store your encryption keys. If you lost them, you lost the objects. Six headers are added to support SSE-C.
The following table lists headers that are required when you use SSE-C to encrypt objects.
Element | Description |
|---|---|
x-obs-server-side-encryption-customer-algorithm | Indicates the encryption algorithm for the object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 |
x-obs-server-side-encryption-customer-key | Indicates the key for encrypting objects when SSE-C is used. Its value is a Base64-encoded 256-bit key. Example: x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= |
x-obs-server-side-encryption-customer-key-MD5 | Indicates the MD5 value of the key for encrypting objects when SSE-C is used. Its value is a Base64-encoded MD5 hash. The MD5 value is used to check whether any error occurs during the transmission of the key. Example: x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ== |
APIs where the newly added headers apply:
- Uploading an Object - PUT
- Uploading an Object - POST
- Copying an Object: The newly added headers apply to the object copy.
- Querying Object Metadata
- Downloading an Object
- Initiating a Multipart Upload
- Uploading Parts
- Copying Parts: The newly added headers apply to target parts.
The following table lists three headers that are added for CopyObject and UploadPart-Copy operations to support source objects encrypted using SSE-C.
Element | Description |
|---|---|
x-obs-copy-source-server-side-encryption-customer-algorithm | Indicates the algorithm for decrypting the source object when SSE-C is used. Example: x-obs-server-side-encryption-customer-algorithm: AES256 |
x-obs-copy-source-server-side-encryption-customer-key | Indicates the key for decrypting the source object when SSE-C is used. Example: x-obs-copy-source-server-side-encryption-customer-algorithm: K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw= |
x-obs-copy-source-server-side-encryption-customer-key-MD5 | Indicates the MD5 value of the key for decrypting the source object when SSE-C is used. The MD5 value is used to check whether any error occurs during the transmission of the key. Example: x-obs-copy-source-server-side-encryption-customer-key:4XvB3tbNTN+tIEVa0/fGaQ== |
Sample Request: Uploading an Object Encrypted with SSE-C
PUT /encryp2 HTTP/1.1User-Agent: curl/7.29.0Host: examplebucket.obs.region.example.comAccept: */*Date: Wed, 06 Jun 2018 09:12:00 GMTAuthorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0=x-obs-server-side-encryption-customer-algorithm:AES256x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw=x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ==Content-Length: 5242[5242 Byte object contents]
Sample Response: Uploading an Object Encrypted with SSE-C
HTTP/1.1 200 OKServer: OBSx-obs-request-id: 8DF400000163D45E0017055619BD02B8ETag: "0f91242c7f3d86f98ae572a686d0696e"x-obs-server-side-encryption-customer-algorithm: AES256x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ==x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCSSAJ8bTNJV0X+Ote1PtuWecqyMh6zBJDate: Wed, 06 Jun 2018 09:12:00 GMTContent-Length: 0
Sample Request: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
PUT /kmsobject HTTP/1.1User-Agent: curl/7.29.0Host: examplebucket.obs.region.example.comAccept: */*Date: Wed, 06 Jun 2018 09:20:10 GMTAuthorization: OBS H4IPJX0TQTHTHEBQQCEC:mZSfafoM+llApk0HGOThlqeccu0=x-obs-copy-source-server-side-encryption-customer-algorithm:AES256x-obs-copy-source-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw=x-obs-copy-source-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ==x-obs-server-side-encryption: kmsx-obs-copy-source: /examplebucket/encryp2Content-Length: 5242[5242 Byte object contents]
Sample Response: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
HTTP/1.1 200 OKServer: OBSx-obs-request-id: BB7800000164848E0FC70528B9D92C41ETag: "1072e1b96b47d7ec859710068aa70d57"x-obs-server-side-encryption: kmsx-obs-server-side-encryption-kms-key-id: region:783fc6652cf246c096ea836694f71855:key/522d6070-5ad3-4765-9737-9312ddc72cdbx-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTkkRzQXs9ECzZcavVRncBqqYNkoAEsrDate: Wed, 06 Jun 2018 09:20:10 GMTContent-Length: 0
Sample Request: Uploading an SSE-C Encrypted Object Using a Signed URL
PUT /encrypobject?AccessKeyId=H4IPJX0TQTHTHEBQQCEC&Expires=1532688887&Signature=EQmDuOhaLUrzrzRNZxwS72CXeXM%3D HTTP/1.1User-Agent: curl/7.29.0Host: examplebucket.obs.region.example.comAccept: */*x-obs-server-side-encryption-customer-algorithm: AES256x-obs-server-side-encryption-customer-key:K7QkYpBkM5+hca27fsNkUnNVaobncnLht/rCB2o/9Cw=x-obs-server-side-encryption-customer-key-MD5:4XvB3tbNTN+tIEVa0/fGaQ==Content-Length: 5242Expect: 100-continue[5242 Byte object contents]
Sample Response: Uploading an SSE-C Encrypted Object Using a Signed URL
HTTP/1.1 100 ContinueHTTP/1.1 200 OKServer: OBSx-obs-request-id: 804F00000164DB5E5B7FB908D3BA8E00ETag: "1072e1b96b47d7ec859710068aa70d57"x-obs-server-side-encryption-customer-algorithm: AES256x-obs-server-side-encryption-customer-key-MD5: 4XvB3tbNTN+tIEVa0/fGaQ==x-obs-id-2: 32AAAUJAIAABAAAQAAEAABAAAQAAEAABCTlpxILjhVK/heKOWIP8Wn2IWmQoerfwContent-Length: 0
- Functions
- Newly Added Headers
- Sample Request: Uploading an Object Encrypted with SSE-C
- Sample Response: Uploading an Object Encrypted with SSE-C
- Sample Request: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
- Sample Response: Copying an SSE-C Encrypted Object and Saving It as a KMS Encrypted Object
- Sample Request: Uploading an SSE-C Encrypted Object Using a Signed URL
- Sample Response: Uploading an SSE-C Encrypted Object Using a Signed URL