You can protect static data by performing server-side encryption. If you enable the server-side encryption function, OSS encrypts user data (that is, the objects) when writing the data into the hard disks deployed in the data center and automatically decrypts the data when it is accessed. Authentication is performed on users who access the encrypted data.

Note For more information about server-side encryption, see Server-side encryption.

OSS supports the following three server-side encryption methods:

  • Server-side encryption fully managed by OSS (SSE-OSS)

    When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption header in the request and specify its value as AES256. In this method, OSS uses AES256 to encrypt each object with an individual key. Furthermore, the individual keys are encrypted by a customer master key (CMK) that is updated periodically for higher security.

  • Server-side encryption using the default managed CMK (SSE-KMS)

    When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption header in the request and specify its value as KMS without a specified CMK ID. In this method, OSS generates an individual key to encrypt each object by using the default managed CMK, and automatically decrypts the object when it is downloaded.

  • Server-side encryption using a CMK specified by the user (SSE-KMS)

    When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption header in the request, specify its value as KMS, and specify the value of X-oss-server-side-encryption-key-id to a specified CMK ID. In this method. OSS generates an individual key to encrypt each object by using the specified CMK, and adds the CMK ID used to encrypt an object into the metadata of the object so that the object is automatically decrypted when it is downloaded by an authorized user. You can use key material generated by the system automatically or import key material from an external source.

    Notice
    • The server-side encryption method using a specified CMK is in the beta testing phase. To use the method, contact Alibaba Cloud technical support.
    • Only one server-side encryption method can be used for an object at one time.
    • If you use a CMK to encrypt an object, the data key used in the encryption is also encrypted and is stored as the metadata of the object.
    • In server-side encryption that uses the default managed CMK, only the data in the object is encrypted. The metadata of the object is not encrypted.
    • Fees for API calls are incurred if you use a CMK to encrypt an object.
    • To use a RAM user to encrypt objects with a specified CMK, you must grant the relevant permissions to the RAM user. For more information, see Use RAM for KMS resource authorization.

Perform server-side encryption fully managed by OSS

  1. Log on to the OSS console and create a bucket. For more information, see Create a bucket.
  2. Upload an object in plaintext to OSS. For more information, see Upload an object.
  3. Encrypt the uploaded object by running the following Python script:
    # -*- coding: utf-8 -*-
    import oss2
    
    # It is highly risky to log on with AccessKey of an Alibaba Cloud account because the account has permissions on all the APIs in OSS. We recommend that you log on as a RAM user to access APIs or perform routine operations and maintenance. To create a RAM account, log on to the RAM console.
    auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>
    ')
    # This example uses the endpoint oss-cn-hongkong. Specify the actual endpoint based on your requirements.
    
    bucket = oss2.Bucket(auth, 'http://oss-cn-hongkong.aliyuncs.com', 'test-hongkong-2025')
    
    bucket.update_object_meta('01.txt',{'x-oss-server-side-encryption':'AES256'})
  4. Verify the encryption result.
    Use ossutil to view the object before and after the encryption.
    • Before encryption:
      D:\5-AK_account\ossutil64>ossutil64.exe stat  oss://test-hongkong-2025/01.txt
      ACL                         : default
      Accept-Ranges               : bytes
      Content-Length              : 62
      Content-Md5                 : k2GA4LeqHvVpQvBfnleNOg==
      Content-Type                : text/plain
      Etag                        : 936180E0B7AA1EF56942F05F9E578D3A
      Last-Modified               : 2018-10-2420:41:54 +0800 CST
      Owner                       : 14166xxxxxx36597
      X-Oss-Hash-Crc64ecma        : 9888192182077127097
      X-Oss-Object-Type           : Normal
      X-Oss-Storage-Class         : Standard
      									
    • After encryption:
      D:\5-AK_account\ossutil64>ossutil64.exe stat  oss://test-hongkong-2025/01.txt
      ACL                         : default
      Accept-Ranges               : bytes
      Content-Length              : 62
      Content-Md5                 : k2GA4LeqHvVpQvBfnleNOg==
      Content-Type                : text/plain
      Etag                        : 936180E0B7AA1EF56942F05F9E578D3A
      Last-Modified               : 2018-10-2420:46:39 +0800 CST
      Owner                       : 14166xxxxxx36597
      X-Oss-Hash-Crc64ecma        : 9888192182077127097
      X-Oss-Object-Type           : Normal
      X-Oss-Server-Side-Encryption: AES256
      X-Oss-Storage-Class         : Standard
      									

Perform server-side encryption using the default CMK managed by OSS

  1. Log on to the OSS console and create a bucket. For more information, see Create a bucket.
  2. Upload an object in plaintext to OSS. For more information, see Upload an object.
  3. Activate KMS in Alibaba Cloud product management page.
  4. Encrypt the uploaded object by running the following Python script:
    # -*- coding: utf-8 -*-
    import oss2
    
    # It is highly risky to log on with AccessKey of an Alibaba Cloud account because the account has permissions on all the APIs in OSS. We recommend that you log on as a RAM user to access APIs or perform routine operations and maintenance. To create a RAM account, log on to the RAM console.
    auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>
    ')
    This example uses the endpoint oss-cn-hongkong. Specify the actual endpoint based on your requirements.
    bucket = oss2.Bucket(auth, 'http://oss-cn-hongkong.aliyuncs.com', 'test-hongkong-2025')
    
    bucket.update_object_meta('01.txt',{'x-oss-server-side-encryption':'KMS'})

Perform server-side encryption using a CMK specified by the user

  1. Log on to the OSS console and create a bucket. For more information, see Create a bucket.
  2. Upload an object in plaintext to OSS. For more information, see Upload an object.
  3. Activate KMS in Alibaba Cloud product management page.
  4. Log on to the KMS console. Click Create Key and configure the following options to create a CMK in the same region as the OSS bucket.
    • Customize the description for the key in Description.
    • Select Alibaba Cloud KMS for Key Material Source under Advanced.
    Note You can also import an external key. For more information, see Import key material.
  5. Use the ID of the created CMK to encrypt the upload object by running the following Python script:
    # -*- coding: utf-8 -*-
    import oss2
    
    # It is highly risky to log on with AccessKey of an Alibaba Cloud account because the account has permissions on all the APIs in OSS. We recommend that you log on as a RAM user to access APIs or perform routine operations and maintenance. To create a RAM account, log on to the RAM console.
    auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>
    ')
    # This example uses the endpoint oss-cn-hongkong. Specify the actual endpoint based on your requirements.
    bucket = oss2.Bucket(auth, 'http://oss-cn-hongkong.aliyuncs.com', 'test-hongkong-2025')
    
    bucket.update_object_meta('01.txt',{'x-oss-server-side-encryption':'KMS','x-oss-server-side-encryption-key-id': '33701a45-6723-4a04-a367-68c060382652'})