Release Notes and Announcements
- Release Notes
- Announcements
Product Introduction
Billing
- Billing Overview
- Billing Method
- Billable Items
- Free Tier
- Billing Examples
- Viewing and Downloading Bill
- Payment Overdue
- FAQs
Getting Started
- Console
- Getting Started with COSBrowser
User Guide
- Creating Request
- Bucket
- Object
- Data Management
- Batch Operation
- Global Acceleration
- Monitoring and Alarms
- Operations Center
- Data Processing
- Content Moderation
- Smart Toolbox
- Data Processing Workflow
- Application Integration
User Tools
- Tool Overview
- Installation and Configuration of Environment
- COSBrowser
- COSCLI (Beta)
- COSCMD
- COS Migration
- FTP Server
- Hadoop
- COSDistCp
- HDFS TO COS
- GooseFS-Lite Tool
- Online Tools
- Diagnostic Tool
Use Cases
- Overview
- Access Control and Permission Management
- Performance Optimization
- Accessing COS with AWS S3 SDK
- Data Disaster Recovery and Backup
- Domain Name Management Practice
- Image Processing
- Audio/Video Practices
- Workflow
- Direct Data Upload
- Content Moderation
- Data Security
- Data Verification
- Big Data Practice
- COS Cost Optimization Solutions
- Using COS in the Third-party Applications
Migration Guide
Data Lake Storage
- Cloud Native Datalake Storage
- Metadata Accelerator
- GooseFS
Data Processing
- Data Processing Overview
- Image Processing
- Media Processing
- Content Moderation
- File Processing Service
- File Preview
Troubleshooting
- Obtaining RequestId
- Slow Upload over Public Network
- 403 Error for COS Access
- Resource Access Error
- POST Object Common Exceptions
API Documentation
- Introduction
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Action List
- Service APIs
- Bucket APIs
- Object APIs
- Batch Operation APIs
- Data Processing APIs
- Job and Workflow
- Content Moderation APIs
- Cloud Antivirus API
SDK Documentation
- SDK Overview
- Preparations
- Android SDK
- C SDK
- C++ SDK
- .NET(C#) SDK
- Flutter SDK
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- React Native SDK
- Mini Program SDK
- Error Codes
- Harmony SDK
- Endpoint SDK Quality Optimization
Security and Compliance
- Data Disaster Recovery
- Data Security
- Cloud Access Management
FAQs
- Popular Questions
- General
- Billing
- Domain Name Compliance Issues
- Bucket Configuration
- Domain Names and CDN
- Object Operations
- Logging and Monitoring
- Permission Management
- Data Processing
- Data Security
- Pre-signed URL Issues
- SDKs
- Tools
- APIs
Agreements
Contact Us
Glossary

Server-Side Encryption

Focus Mode

Font Size

Last updated: 2026-03-05 17:02:48

Introduction
This document provides instructions on how to enable server-side encryption when objects are uploaded. Server-side encryption keys are categorized into three types:
COS managed encryption key
customer-provided encryption key
KMS managed encryption key
Preliminary Preparation
Create CosAPI
Before calling the COS API, you must first create an instance of CosAPI to make subsequent call requests.
qcloud_cos::CosAPI InitCosAPI() {
    uint64_t appid = 12500000000;
    std::string region = "ap-guangzhou";// Region of the bucket, see https://www.tencentcloud.com/document/product/436/62?from_cn_redirect=1
    std::string secret_id = "************************************"; // User's SecretId. It is recommended to use sub-account keys, with authorization following the least privilege principle to mitigate usage risks. For information on how to obtain sub-account keys, see https://www.tencentcloud.com/document/product/598/37140?from_cn_redirect=1
    std::string secret_key = "***********************************"; // User's SecretKey. It is recommended to use sub-account keys, with authorization following the least privilege principle to mitigate usage risks. For information on how to obtain sub-account keys, see https://www.tencentcloud.com/document/product/598/37140?from_cn_redirect=1
        
    qcloud_cos::CosConfig config(appid, tmp_secret_id, tmp_secret_key, region);
    qcloud_cos::CosAPI cos_tmp(config);
    return cos_tmp;
}
Create CosAPI Using a Temporary Key
To access COS with a temporary key, you need to create a CosAPI instance using the temporary key.
qcloud_cos::CosAPI InitCosAPI() {
    // You need to have obtained the temporary key results: tmp_secret_id, tmp_secret_key,
    // For generating temporary keys, see https://www.tencentcloud.com/document/product/436/14048?from_cn_redirect=1#cos-sts-sdk
    uint64_t appid = 12500000000;
    std::string region = "ap-guangzhou";
    std::string tmp_secret_id = "************************************";
    std::string tmp_secret_key = "***********************************";
    std::string tmp_token = "token";
    
    qcloud_cos::CosConfig config(appid, tmp_secret_id, tmp_secret_key, region);
    config.SetTmpToken(tmp_token);
    qcloud_cos::CosAPI cos_tmp(config);
    return cos_tmp;
}
Use Case
Using COS Managed Encryption Key for Server-Side Encryption (SSE-COS) to Protect Data
Tencent Cloud COS manages the master key and data. COS automatically encrypts your data when it is written to the data center and decrypts it when you access the data. Currently, AES-256 encryption using the COS master key is supported for data protection.
void PutObjectByFileDemo(qcloud_cos::CosAPI& cos) {
    std::string object_name = "test.txt";
    std::string file_path = "./test_file/text.txt";
    qcloud_cos::PutObjectByFileReq req(bucket_name, object_name, file_path);
    req.SetXCosServerSideEncryption("AES256");
    qcloud_cos::PutObjectByFileResp resp;
    qcloud_cos::CosResult result = cos.PutObject(req, &resp);

    std::cout << "====================PutObjectByFile======================" << std::endl;
    PrintResult(result, resp);
    std::cout << "=========================================================" << std::endl;
}
Use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) to Protect Data
The encryption key is provided by the user. When objects are uploaded, COS uses the user-provided encryption key to perform AES-256 encryption on the data.
Note:
The service running this encryption must use HTTPS requests.
User must provide a 32-byte string as the key, which supports combinations of digits, letters, and characters, but does not support Chinese characters.
If a key is set for encryption when a file is uploaded, then when using GET (download) or HEAD (query) operations on the source object, the same key must be included in the request for it to be processed successfully.
void PutObjectByFileDemo(qcloud_cos::CosAPI& cos) {
    std::string object_name = "test.txt";
    std::string file_path = "./test_file/text.txt";
    qcloud_cos::PutObjectByFileReq req(bucket_name, object_name, file_path);
    req.SetHttps();
    req.TurnOffComputeConentMd5();
    req.AddHeader("x-cos-server-side-encryption-customer-algorithm", "AES256");  // Server-side encryption algorithm, currently only supports AES256
    req.AddHeader("x-cos-server-side-encryption-customer-key","key"); // Base64-encoded server-side encryption key, e.g., MDEyMzQ1Njc4OUFCQ0RFRjAxMjM0NTY3ODlBQkNERUY=
    req.AddHeader("x-cos-server-side-encryption-customer-key-MD5","key-MD5"); // MD5 hash value of the server-side encryption key, Base64-encoded, e.g., U5L61r7jcwdNvT7frmUG8g==
    // The Base64 encoding of the MD5 hash value must be calculated based on the binary-encoded MD5.
    qcloud_cos::PutObjectByFileResp resp;
    qcloud_cos::CosResult result = cos.PutObject(req, &resp);

    std::cout << "====================PutObjectByFile======================" << std::endl;
    PrintResult(result, resp);
    std::cout << "=========================================================" << std::endl;
}
void GetObjectByFileDemo(qcloud_cos::CosAPI& cos) {
    std::string object_name = "test.txt";
    std::string file_path = "./test_file/text2.txt";
    qcloud_cos::GetObjectByFileReq req(bucket_name, object_name, file_path);
    req.SetHttps();
    req.SetCheckMD5(false);
    req.AddHeader("x-cos-server-side-encryption-customer-algorithm", "AES256");  // Server-side encryption algorithm, currently only supports AES256
    req.AddHeader("x-cos-server-side-encryption-customer-key","key"); // Base64-encoded server-side encryption key, e.g., MDEyMzQ1Njc4OUFCQ0RFRjAxMjM0NTY3ODlBQkNERUY=
    req.AddHeader("x-cos-server-side-encryption-customer-key-MD5","key-MD5"); // MD5 hash value of the server-side encryption key, Base64-encoded, e.g., U5L61r7jcwdNvT7frmUG8g==
    qcloud_cos::GetObjectByFileResp resp;

    qcloud_cos::CosResult result = cos.GetObject(req, &resp);
    std::cout << "===================GetObjectResponse=====================" << std::endl;
    PrintResult(result, resp);
    std::cout << "=========================================================" << std::endl;
}
Using Server-Side Encryption With KMS Managed Encryption Key (SSE-KMS) to Protect Data
SSE-KMS encryption refers to server-side encryption using KMS managed keys. KMS is a security management service launched by Tencent Cloud, which uses third-party certified Hardware Security Modules (HSM) to generate and protect keys. It helps users easily create and manage keys, meeting their key management needs for multiple applications and business scenarios while fulfilling regulatory and compliance requirements. For instructions on activating the KMS service, see Server-Side Encryption Overview.
void PutObjectByFileDemo(qcloud_cos::CosAPI& cos) {
    std::string object_name = "test.txt";
    std::string file_path = "./test_file/text.txt";
    qcloud_cos::PutObjectByFileReq req(bucket_name, object_name, file_path);
    req.SetXCosServerSideEncryption("cos/kms");
    req.TurnOffComputeConentMd5();
    req.AddHeader("x-cos-server-side-encryption-cos-kms-key-id","key-id"); // Specifies the KMS Customer Master Key (CMK). If not specified, the CMK created by default for COS will be used
    req.AddHeader("x-cos-server-side-encryption-context","context"); // Specifies the encryption context, which is the Base64-encoded JSON-formatted key-value pairs. For example, eyJhIjoiYXNkZmEiLCJiIjoiMTIzMzIxIn0=

    qcloud_cos::PutObjectByFileResp resp;
    qcloud_cos::CosResult result = cos.PutObject(req, &resp);

    std::cout << "====================PutObjectByFile======================" << std::endl;
    PrintResult(result, resp);
    std::cout << "=========================================================" << std::endl;
}
﻿
void GetObjectByFileDemo(qcloud_cos::CosAPI& cos) {
    std::string object_name = "test.txt";
    std::string file_path = "./test_file/text2.txt";
    qcloud_cos::GetObjectByFileReq req(bucket_name, object_name, file_path);
    req.SetHttps();
    req.SetCheckMD5(false);
    qcloud_cos::GetObjectByFileResp resp;

    qcloud_cos::CosResult result = cos.GetObject(req, &resp);
    std::cout << "===================GetObjectResponse=====================" << std::endl;
    PrintResult(result, resp);
    std::cout << "=========================================================" << std::endl;
}
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Object Storage

Server-Side Encryption

Introduction

Preliminary Preparation

Create CosAPI

Create CosAPI Using a Temporary Key

Use Case

Using COS Managed Encryption Key for Server-Side Encryption (SSE-COS) to Protect Data

Use Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) to Protect Data

Using Server-Side Encryption With KMS Managed Encryption Key (SSE-KMS) to Protect Data

Help and Support