Alibaba Cloud OSS performs server-side encryption on data stored in buckets to protect data.

Background information

When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the original data. The returned HTTP request header declares that the data is encrypted on the server.
Note For more information about server-side encryption, see Server-side encryption.
You can enable server-side encryption in the OSS console by using one of the following methods:

Method 1: Enable server-side encryption when you create a bucket

  1. Log on to the OSS console.
  2. On the Overview page of the OSS console, click Create Bucket.
  3. In the Create Bucket dialog box that appears, configure parameters.
    Set Server-side Encryption. For more information about the configurations of other parameters, see Create a bucket.
    • Encryption Method: Select an encryption method for the object.
      • None: Server-side encryption is disabled.
      • OSS-Managed: You can use keys managed by OSS for encryption. OSS server-side encryption uses AES-256 to encrypt objects by using different data keys. AES-256 uses master keys that are regularly rotated to encrypt data keys.
      • KMS: You can use a specified CMK ID or the default CMK stored in KMS to encrypt or decrypt data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS (SSE-KMS).
        Notice
        • Before you use KMS-based encryption, you must activate KMS.
        • You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
    • Encryption Algorithm: Only AES-256 is supported.
    • CMK: You can configure this parameter if you select KMS in the Encryption Method section. Parameter description:
      • alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
      • CMK ID: The keys generated by a specified CMK are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who have decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console.
  4. Click OK.

Method 2: Enable server-side encryption on the Basic Settings tab

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. Choose Basic Settings > Server-side Encryption.
  4. Click Configure.
    Parameter description:
    • Encryption Method: Select an encryption method for the object.
      • None: Server-side encryption is disabled.
      • OSS-Managed: You can use keys managed by OSS for encryption. OSS server-side encryption uses AES-256 to encrypt objects by using different data keys. AES-256 uses master keys that are regularly rotated to encrypt data keys.
      • KMS: You can use a specified CMK ID or the default CMK stored in KMS to encrypt or decrypt data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS (SSE-KMS).
        Notice
        • Before you use KMS-based encryption, you must activate KMS.
        • You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
    • Encryption Algorithm: Only AES-256 is supported.
    • CMK: You can configure this parameter if you select KMS in the Encryption Method section. Parameter description:
      • alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
      • CMK ID: The keys generated by a specified CMK are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who have decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console.
  5. Click Save.
    Notice The configurations of the default encryption method for a bucket do not affect the encryption configurations of the existing objects in the bucket.