检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Step 2: Creating a Key With KMS, you can create keys and use the keys to encrypt files to be uploaded on the OBS server. Step 3: Uploading Files to an OBS Bucket Upload files to the OBS bucket and use the KMS key encrypt the files.
Figure 4 Encrypting data in OBS OBS uses the encryption key provided by KMS. You can select any of the following keys: Default key obs/default. If you do not have a default key, OBS automatically creates one when you upload an object for the first time.
Table 1 Default master keys Alias Cloud Service obs/default Object Storage Service (OBS) evs/default Elastic Volume Service (EVS) ims/default Image Management Service (IMS) vbs/default Volume Backup Service (VBS) sfs/default Scalable File Service (SFS) kps/default Key Pair Service
Solution To access KMS through the cloud service console (for example, for OBS encryption purposes), allow access from network segments 10.0.0.0/8, 11.0.0.0/8, and 26.0.0.0/8. To call KMS via API, allow access from the source IP addresses.
OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
Advantages Extensive Service Integration By integrating with OBS, EVS, and IMS, you can use KMS to manage the keys of the services or use KMS APIs to encrypt and decrypt local data.
OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
Encryption in OBS When you enable server-side encryption in Object Storage Service (OBS): An object uploaded to OBS is encrypted on the server before being stored. When the object is downloaded, data is decrypted on the server first.
Using KMS to Encrypt and Decrypt Data for Cloud Services Overview Encrypting Data in ECS Encrypting Data in EVS Encrypting Data in IMS Encrypting Data in OBS Encrypting an RDS DB Instance Encrypting a DDS DB Instance Parent topic: Key Management Service
To store operation records for longer than seven days, configure transfer to OBS or Log Tank Service (LTS) so that you can view them in OBS buckets or LTS log groups.
Encrypting Data in ECS Encrypting Data in OBS Encrypting Data in EVS Encrypting Data in IMS Encrypting an RDS DB Instance Encrypting a DDS DB Instance
The backup data stored in OBS will not be encrypted. After a Document Database Service (DDS) DB instance is created, do not disable or delete the key that is being used. Otherwise, DDS will be unavailable and data cannot be restored.
Image Management Service (IMS) Encrypting Data in IMS Storage Object Storage Service (OBS) Encrypting Data in OBS Elastic Volume Service (EVS) Encrypting Data in EVS Volume Backup Service (VBS) VBS generally creates online backups for a single EVS disk (system or data disk) of the
For example, when you upload an object on OBS, enable Server-Side Encryption, and set Encryption Key Type to Default, OBS will use KMS to generate a default key whose alias is obs/default.
The backup data stored in OBS will not be encrypted. After an RDS DB instance is created, do not disable or delete the key that is being used. Otherwise, RDS will be unavailable and data cannot be restored.
OBS supports the server-side encryption with KMS-managed keys (SSE-KMS). In this mode, OBS uses the keys provided by KMS for server-side encryption.
Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP (EIP), and Image Management Service (IMS), are shared within the same region.
When creating an RDS, DDS, or OBS instance, you can choose shared KMS keys. For details, see Cloud Services with KMS Integrated.
OBS supports authentication using an AK/SK pair. It uses AK/SK-based encryption to authenticate requests. For details, see Authentication. Access Control DEW uses Identity and Access Management (IAM) to implement refined access control.
Upload the external image file to the OBS bucket. For details, see Creating a Windows System Disk Image from an External Image File. Create a private image. Log in to the IMS console. Click the Private Images tab and click Create Image in the upper right corner.
