All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Encryption related

Last updated:2021-06-15 20:56:34

KS3 server-side encryption guide


Contents


1. Overview

Server-side encryption is the encryption of static data. KS3 encrypts your data at the object level when it writes data to the disks in a data center and decrypts the data for you when you access the data. As long as you authenticate your request and have the access permission, the access method for encrypted and unencrypted data is the same. For example, if you use a presigned URL to share your objects, the URL works in the same way for encrypted and unencrypted objects.

2. Encryption methods

KS3 provides two management methods for encryption keys:

  • The first method is server-side encryption with KS3 managed keys (SSE-S3). This method employs multi-factor strong encryption to encrypt each object with a unique key. This method encrypts the key by using a periodically rotated master key to provide additional protection. KS3 server-side encryption uses 256-bit Advanced Encryption Standard (AES-256) to encrypt your data.

  • The other method is server-side encryption with customer-provided encryption keys (SSE-C). With this method, you manage encryption and decryption, encryption keys, and relevant tools.

3. API operations

3.1 Use SSE-S3

PUT operations

Request headers
Header Description
x-kss-server-side-encryption If a request contains this header, the server encrypts data. Valid value: AES256.
Response headers
Header Description
x-kss-server-side-encryption If a request contains this header, the response also contains this header.
Errors
Type Description
x-kss-server-side-encryption This error is returned if the value of the x-kss-server-side-encryption header is not AES256.

POST operations

Entries

The following entry is required for enabling default encryption.

Entry Description
x-kss-server-side-encryption The used encryption algorithm. This entry is required if server-side encryption is used for storing an object. AES256 is supported.
Type: String
Errors
Type Description
Invalid encryption type This error is returned if the value of the x-kss-server-side-encryption entry is not AES256.

Initiate Multipart Upload operation

Request headers
Header Description
x-kss-server-side-encryption If a request contains this header, the server generates an encryption key and uses the encryption key to encrypt data during multipart uploads. Valid value: AES256.
Response headers
Header Description
x-kss-server-side-encryption If a request contains this header, the response also contains this header.
Errors
Type Description
Invalid encryption type This error is returned if the value of the x-kss-server-side-encryption header is not AES256.

Upload Part operations

Response headers
Header Description
x-kss-server-side-encryption If data is encrypted by using SSE-S3, the response contains this header.
Errors
Type Description
Invalid parameter If the x-kss-server-side-encryption request header is provided, a 400 error is returned, indicating that the parameter is invalid.

Complete Multipart Upload operation

Response headers
Header Description
x-kss-server-side-encryption If data is encrypted by using SSE-S3, the response contains this header.
Errors
Type Description
Invalid parameter If the x-kss-server-side-encryption request header is provided, a 400 error is returned, indicating that the parameter is invalid.

COPY operations

Request headers
Header Description
x-kss-server-side-encryption Valid value: AES256
x-kss-copy-source-server-side-encryption-customer-algorithm This request header is required if the copied object is encrypted by using SSE-C.
x-kss-copy-source-server-side-encryption-customer-key This request header is required if the copied object is encrypted by using SSE-C.
x-kss-copy-source-server-side-encryption-customer-key-MD5 This request header is required if the copied object is encrypted by using SSE-C.

Note: The x-kss-copy-source-server-side-encryption-customer-algorithm, x-kss-copy-source-server-side-encryption-customer-key, and x-kss-copy-source-server-side-encryption-customer-key-MD5 headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption If a request contains this header, the response also contains this header.
Errors
Type Description
Invalid encryption type This error is returned if the value of the x-kss-server-side-encryption header is not AES256.
Incorrect MD5 value This 400 error is returned if the value of x-kss-copy-source-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-copy-source-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-copy-source-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the following three request headers are not all contained in a request: x-kss-copy-source-server-side-encryption-customer-algorithm, x-kss-copy-source-server-side-encryption-customer-key, and x-kss-copy-source-server-side-encryption-customer-key-MD5.

GET operations

Response headers
Header Description
x-kss-server-side-encryption If data is encrypted by using SSE-S3, the response contains this header.
Errors
Type Description
Invalid parameter If the x-kss-server-side-encryption request header is provided, a 400 error is returned, indicating that the parameter is invalid.

HEAD operations

Response headers
Header Description
x-kss-server-side-encryption If data is encrypted by using SSE-S3, the response contains this header.
Errors
Type Description
Invalid parameter If the x-kss-server-side-encryption request header is provided, a 400 error is returned, indicating that the parameter is invalid.

3.2 Use SSE-C

PUT operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.

POST operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.

Initiate Multipart Upload operation

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.

Upload Part operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.
Missing key This 400 error is returned if you use SSE-C for data encryption but do not provide the key in the request.
Inconsistent MD5 value This 400 error is returned if the MD5 value of the key provided for data access is different from that of the key provided for data storage.

Complete Multipart Upload operation

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Invalid parameter This 400 error is returned if the key provided by you is contained in the request header that cannot contain such a key.

COPY operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.
x-kss-copy-source-server-side-encryption-customer-algorithm This request header is required if the copied object is encrypted by using SSE-C.
x-kss-copy-source-server-side-encryption-customer-key This request header is required if the copied object is encrypted by using SSE-C.
x-kss-copy-source-server-side-encryption-customer-key-MD5 This request header is required if the copied object is encrypted by using SSE-C.

Note: The three request headers that start with x-kss-server or x-kss-copy-source must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If a request contains this header, the response also contains this header.
x-kss-server-side-encryption-customer-key-MD5 If a request contains this header, the response also contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 or x-kss-copy-source-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key or x-kss-copy-source-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm or x-kss-copy-source-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.
Missing key This 400 error is returned if you use SSE-C for data encryption but do not provide the key in the request.
Inconsistent MD5 value This 400 error is returned if the MD5 value of the key provided for data access is different from that of the key provided for data storage.

GET operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If request data is encrypted by using SSE-C, the response contains this header.
x-kss-server-side-encryption-customer-key-MD5 If request data is encrypted by using SSE-C, the response contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.
Missing key This 400 error is returned if you use SSE-C for data encryption but do not provide the key in the request.
Inconsistent MD5 value This 400 error is returned if the MD5 value of the key provided for data access is different from that of the key provided for data storage.

HEAD operations

Request headers
Header Description
x-kss-server-side-encryption-customer-algorithm The encryption algorithm provided by you. Valid value: AES256.
x-kss-server-side-encryption-customer-key The encryption key provided by you.
x-kss-server-side-encryption-customer-key-MD5 The 128-bit MD5 value of the Base64-encoded key provided by you.

Note: The three request headers must be all contained in a request.

Response headers
Header Description
x-kss-server-side-encryption-customer-algorithm If request data is encrypted by using SSE-C, the response contains this header.
x-kss-server-side-encryption-customer-key-MD5 If request data is encrypted by using SSE-C, the response contains this header.
Errors
Type Description
Incorrect MD5 value This 400 error is returned if the value of x-kss-server-side-encryption-customer-key-MD5 is different from the MD5 value of x-kss-server-side-encryption-customer-key.
Invalid encryption algorithm This 400 error is returned if the value of x-kss-server-side-encryption-customer-algorithm is not AES256.
Invalid parameter This 400 error is returned if the three request headers are not all contained in a request.
Missing key This 400 error is returned if you use SSE-C for data encryption but do not provide the key in the request.
Inconsistent MD5 value This 400 error is returned if the MD5 value of the key provided for data access is different from that of the key provided for data storage.
On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback