How QingStor Secures Your Data: A Complete Guide to Object Storage Encryption

Introduction

QingStor offers a complete solution for securely storing data, combining SSL transport protection with server‑side AES256 encryption to ensure that only the owner of the encryption key can access the stored objects.

Encryption Process

Attach a key and its MD5 tag to the object before upload.

Upload the object to QingStor.

QingStor computes the MD5 of the received key.

It compares the computed MD5 with the tag to verify integrity.

If the MD5s differ, the upload is rejected and the user must re‑tag the object.

If the MD5s match, QingStor encrypts the object using the provided algorithm (AES256).

After encryption, QingStor discards the plaintext key, retaining only the MD5 for future verification.

Decryption Process

The user submits a retrieval request with the original key, its MD5, and the encryption algorithm.

QingStor verifies the MD5 to ensure the key has not been altered.

Upon successful verification, QingStor decrypts the object and returns it to the user.

Encryption Request Headers

To enable encryption, include the following headers in API calls:

X-Qs-Encryption-Algorithm: AES256

X-Qs-Encryption-Key: <Base64‑encoded‑key>

X-Qs-Encryption-Md5: <Base64‑encoded‑MD5‑of‑key>

Basic API Operations

GET Object

Retrieve an encrypted object by providing the encryption headers.

GET /myphoto.jpg HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 01:32:07 GMT
Authorization: <signature>
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <your key>
X-Qs-Encryption-Md5: <your key's md5>

PUT Object

Upload a new encrypted object.

PUT /myphoto.jpg HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Tue, 20 Jul 2021 10:28:51 GMT
Content-Length: 7987
Authorization: <signature>
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <your key>
X-Qs-Encryption-Md5: <your key's md5>

PUT Object – Copy

Copy an encrypted object; the source object's encryption info must be supplied, and new encryption info must be provided for the destination.

PUT /myphoto.jpg?copy_source=/source-bucket/source-object HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 03:06:32 GMT
Authorization: <signature>
X-Qs-Copy-Source: /source-bucket/source-object
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <new key>
X-Qs-Encryption-Md5: <new key's md5>

HEAD Object

Fetch metadata of an encrypted object; encryption headers are optional unless verification is needed.

HEAD /myphoto.jpg HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 06:13:33 GMT
Authorization: <signature>
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <your key>
X-Qs-Encryption-Md5: <your key's md5>

Multipart Upload with Encryption

For large objects (>5 GB), use multipart upload while preserving encryption headers throughout the process.

Initiate Multipart Upload

POST /large-object?uploads HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 06:58:47 GMT
Authorization: <signature>
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <your key>
X-Qs-Encryption-Md5: <your key's md5>

Upload Part

PUT /large-object?upload_id=<upload_id>&part_number=0 HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 06:59:24 GMT
Content-Length: 7987
Authorization: <signature>
X-Qs-Encryption-Algorithm: AES256
X-Qs-Encryption-Key: <your key>
X-Qs-Encryption-Md5: <your key's md5>

Complete Multipart Upload

POST /large-object?upload_id=<upload_id> HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 06:59:24 GMT
Authorization: <signature>
Content-Type: application/json

{ "object_parts": [ { "part_number": 0, "etag": "..." }, { "part_number": 1, "etag": "..." } ] }

Abort Multipart Upload

DELETE /large-object?upload_id=<upload_id> HTTP/1.1
Host: mybucket.pek3a.qingstor.com
Date: Wed, 21 Jul 2021 06:59:24 GMT
Authorization: <signature>

Key Management Reminder

After encryption, QingStor discards the plaintext key; only the key holder can decrypt the object. Losing the key means the data is unrecoverable, similar to a lost safe‑combination.