最新情報とお知らせ

製品アップデート情報

製品のお知らせ

製品概要

機能概要

応用シナリオ

製品の優位性

基本概念

リージョンとアクセスドメイン名

仕様と制限

製品の課金

課金概要

課金方式

課金項目

無料利用枠

記帳例

請求書の確認とダウンロード

お支払い遅れについて

よくある質問

クイックスタート

コンソールクイックスタート

COSBrowserクイックスタート

ユーザーガイド

リクエストの作成

バケット

オブジェクト

データ管理

バッチ処理

グローバルアクセラレーション

監視とアラーム

運用管理センター

データ処理

インテリジェントツールボックス使用ガイド

データワークフロー

アプリ統合

ツールガイド

ツール概要

環境のインストールと設定

COSBrowserツール

COSCLIツール

COSCMDツール

COS Migrationツール

FTP Serverツール

Hadoopツール

COSDistCpツール

HDFS TO COSツール

オンラインツール (Onrain Tsūru)

セルフ診断ツール

実践チュートリアル

概要

アクセス制御と権限管理

パフォーマンスの最適化

AWS S3 SDKを使用したCOSアクセス

データディザスタリカバリバックアップ

ドメイン名管理の実践

画像処理の実践

COSオーディオビデオプレーヤーの実践

データセキュリティ

データ検証

COSコスト最適化ソリューション

サードパーティアプリケーションでのCOSの使用

移行ガイド

サードパーティクラウドストレージのデータをCOSへ移行

データレークストレージ

クラウドネイティブデータレイク

メタデータアクセラレーション

データアクセラレーター GooseFS

データ処理

データ処理概要

画像処理

メディア処理

コンテンツ審査

ファイル処理

ドキュメントプレビュー

トラブルシューティング

RequestId取得の操作ガイド

パブリックネットワーク経由でのCOSへのファイルアップロード速度の遅さ

COSへのアクセス時に403エラーコードが返される

リソースアクセス異常

POST Objectの一般的な異常

セキュリティとコンプライアンス

データ災害復帰

データセキュリティ

クラウドアクセスマネジメント

よくある質問

よくあるご質問

一般的な問題

従量課金に関するご質問

ドメインコンプライアンスに関するご質問

バケット設定に関する質問

ドメイン名とCDNに関するご質問

ファイル操作に関するご質問

権限管理に関するご質問

データ処理に関するご質問

データセキュリティに関するご質問

署名付きURLに関するご質問

SDKクラスに関するご質問

ツール類に関するご質問

APIクラスに関するご質問

Agreements

Service Level Agreement

プライバシーポリシー

データ処理とセキュリティ契約

連絡先

用語集

Server-Side Encryption

フォーカスモード

フォントサイズ

最終更新日: 2024-02-02 16:24:05

Overview
This document describes how to enable server-side encryption when uploading objects. There are three types of keys that can be used for server-side encryption:
COS-managed key
Customer-provided key
KMS-managed key
Using server-side encryption with COS-managed encryption keys (SSE-COS) to protect data
With this method, your master key and data are managed by COS. COS can automatically encrypt your data when written into the IDC and automatically decrypt it when accessed. Currently, COS supports AES-256 encryption using a COS master key pair.
// Before using the advanced API, ensure that the process contains a TransferManager instance. If such an instance does not exist, create one.
// For the detailed code, see "Advanced API -> Sample Code: Creating TransferManager" in "Uploading Objects".
TransferManager transferManager = createTransferManager();
﻿
// Enter the bucket name in the format of `BucketName-APPID`.
String bucketName = "examplebucket-1250000000";
// Object key, the unique ID of an object in a bucket. For more information, please see [Object Key](https://www.tencentcloud.com/document/product/436/13324).
String key = "exampleobject";
// Local file path
String localFilePath = "/path/to/localFile";
File localFile = new File(localFilePath);
﻿
PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, key, localFile);
﻿
ObjectMetadata objectMetadata = new ObjectMetadata();
// Set the encryption algorithm to AES-256.
objectMetadata.setServerSideEncryption(SSEAlgorithm.AES256.getAlgorithm());
putObjectRequest.setMetadata(objectMetadata);
﻿
// For server-side encryption scenarios, the returned ETag is not the MD5 value of the file. Therefore, MD5 verification on the client should be removed.
// You can obtain the CRC64 value for verification as needed.
System.setProperty(SkipMd5CheckStrategy.DISABLE_PUT_OBJECT_MD5_VALIDATION_PROPERTY, "true");
﻿
try {
    // The advanced API will return an asynchronous result `Upload`.
    // You can call the `waitForUploadResult` method to wait for the upload to complete. If the upload is successful, `UploadResult` is returned. If the upload fails, an exception is returned.
    Upload upload = transferManager.upload(putObjectRequest);
    UploadResult uploadResult = upload.waitForUploadResult();
} catch (CosServiceException e) {
    e.printStackTrace();
} catch (CosClientException e) {
    e.printStackTrace();
} catch (InterruptedException e) {
    e.printStackTrace();
}
﻿
// After confirming that the process does not use the TransferManager anymore, close it.
// For the detailed code, see "Advanced APIs -> Closing TransferManager" on the current page.
shutdownTransferManager(transferManager);
Using server-side encryption with customer-provided encryption keys (SSE-C) to protect data
With this method, the encryption key is provided by the customer. To upload an object, COS will apply AES-256 encryption to the data using the customer-provided encryption key pair.
Note: 
This type of encryption requires using HTTPS requests.
You need to provide a 32-byte string as the key, a combination of numbers, letters, and characters, with Chinese characters not supported.
If a file was key-encrypted when uploaded, you need to include the same key in your GET (download) or HEAD (query) request for it to succeed.
// Before using the advanced API, ensure that the process contains a TransferManager instance. If such an instance does not exist, create one.
// For the detailed code, see "Advanced API -> Sample Code: Creating TransferManager" in "Uploading Objects".
TransferManager transferManager = createTransferManager();
﻿
// Enter the bucket name in the format of `BucketName-APPID`.
String bucketName = "examplebucket-1250000000";
// Object key, the unique ID of an object in a bucket. For more information, please see [Object Key](https://www.tencentcloud.com/document/product/436/13324).
String key = "exampleobject";
// Local file path
String localFilePath = "/path/to/localFile";
File localFile = new File(localFilePath);
﻿
PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, key, localFile);
﻿
String base64EncodedKey = "MDEyMzQ1Njc4OUFCQ0RFRjAxMjM0NTY3ODlBQkNERUY=";
// "sseCustomerKey" is a Base64-encoded key.
SSECustomerKey sseCustomerKey = new SSECustomerKey(base64EncodedKey);
putObjectRequest.setSSECustomerKey(sseCustomerKey);
﻿
// For server-side encryption scenarios, the returned ETag is not the MD5 value of the file. Therefore, MD5 verification on the client should be removed.
// You can obtain the CRC64 value for verification as needed.
System.setProperty(SkipMd5CheckStrategy.DISABLE_PUT_OBJECT_MD5_VALIDATION_PROPERTY, "true");
﻿
try {
    // The advanced API will return an asynchronous result `Upload`.
    // You can call the `waitForUploadResult` method to wait for the upload to complete. If the upload is successful, `UploadResult` is returned. If the upload fails, an exception is returned.
    Upload upload = transferManager.upload(putObjectRequest);
    UploadResult uploadResult = upload.waitForUploadResult();
} catch (CosServiceException e) {
    e.printStackTrace();
} catch (CosClientException e) {
    e.printStackTrace();
} catch (InterruptedException e) {
    e.printStackTrace();
}
﻿
// After confirming that the process does not use the TransferManager anymore, close it.
// For the detailed code, see "Advanced APIs -> Closing TransferManager" on the current page.
shutdownTransferManager(transferManager);
Using server-side encryption with KMS-managed encryption keys (SSE-KMS) to protect data
SSE-KMS encryption is server-side encryption using keys managed by KMS, a Tencent Cloud security management service. KMS is designed to generate and protect your keys using third-party-certified hardware security modules (HSM). It allows you to easily create and manage keys for use in multiple applications and services, while meeting regulatory and compliance requirements. For information on how to activate KMS service, see Server-side Encryption Overview.
// Before using the advanced API, ensure that the process contains a TransferManager instance. If such an instance does not exist, create one.
// For the detailed code, see "Advanced API -> Sample Code: Creating TransferManager" in "Uploading Objects".
TransferManager transferManager = createTransferManager();
﻿
// Enter the bucket name in the format of `BucketName-APPID`.
String bucketName = "examplebucket-1250000000";
// Object key, the unique ID of an object in a bucket. For more information, please see [Object Key](https://www.tencentcloud.com/document/product/436/13324).
String key = "exampleobject";
// Local file path
String localFilePath = "/path/to/localFile";
File localFile = new File(localFilePath);
﻿
PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, key, localFile);
﻿
// KMS CMK
String kmsKeyId = "your-kms-key-id";
String encryptionContext = Base64.encodeAsString("{\\"Ssekmstest\\":\\"Ssekmstest\\"}".getBytes());
SSECOSKeyManagementParams ssecosKeyManagementParams = new SSECOSKeyManagementParams(kmsKeyId, encryptionContext);
putObjectRequest.setSSECOSKeyManagementParams(ssecosKeyManagementParams);
﻿
// For server-side encryption scenarios, the returned ETag is not the MD5 value of the file. Therefore, MD5 verification on the client should be removed.
// You can obtain the CRC64 value for verification as needed.
System.setProperty(SkipMd5CheckStrategy.DISABLE_PUT_OBJECT_MD5_VALIDATION_PROPERTY, "true");
﻿
try {
    // The advanced API will return an asynchronous result `Upload`.
    // You can call the `waitForUploadResult` method to wait for the upload to complete. If the upload is successful, `UploadResult` is returned. If the upload fails, an exception is returned.
    Upload upload = transferManager.upload(putObjectRequest);
    UploadResult uploadResult = upload.waitForUploadResult();
} catch (CosServiceException e) {
    e.printStackTrace();
} catch (CosClientException e) {
    e.printStackTrace();
} catch (InterruptedException e) {
    e.printStackTrace();
}
﻿
// After confirming that the process does not use the TransferManager anymore, close it.
// For the detailed code, see "Advanced APIs -> Closing TransferManager" on the current page.
shutdownTransferManager(transferManager);

ヘルプとサポート

この記事はお役に立ちましたか？

営業担当者にお問い合わせいただくかチケットを提出してサポートを求めることができます。

フィードバック

tencent cloud

Cloud Object Storage

Server-Side Encryption

Overview

Using server-side encryption with COS-managed encryption keys (SSE-COS) to protect data

Using server-side encryption with customer-provided encryption keys (SSE-C) to protect data

Using server-side encryption with KMS-managed encryption keys (SSE-KMS) to protect data

ヘルプとサポート