You can encrypt the objects stored in buckets using the COS console to prevent data disclosure. For more information on encryption, see Server-Side Encryption Overview. The following shows you how to configure object encryption:
- This operation does not support configuring encryption for objects in the ARCHIVE storage class. If encryption is required, restore archived objects first. After the restoration is complete, change the storage class to STANDARD or STANDARD_IA before configuring the encryption.
- As long as you have access permission on an object, your object accessing experience is the same regardless of whether the object is encrypted.
- Server-side encryption encrypts only the object data but not its metadata. Server-side encrypted objects can only be accessed with a valid signature and cannot be accessed by anonymous users.
- When you list the objects in a bucket, all objects will be listed, regardless of whether they are encrypted.
Log in to the COS console.
Click Bucket List on the left sidebar.
Locate the bucket where the object resides and click the bucket name.
Click File List on the left sidebar.
Find the target object and click Details in the Operation column on the right.
Select the target encryption method in the Server-Side Encryption area.
The following two encryption methods are currently supported:
- If you use SSE-KMS encryption for the first time, you need to enable the KMS service.
- Currently, SSE-KMS encryption is available only in the Beijing, Shanghai, and Guangzhou regions.
To batch encrypt multiple objects, select multiple objects and click More Actions > Modify Encryption Method at the top.