Alibaba Cloud OSS performs server-side encryption on data stored in buckets to secure
data.
Background information
When you upload data, OSS encrypts the data before storing it. When you download data,
OSS decrypts the data and returns the original data. The returned HTTP request header
declares that the data is encrypted on the server.
You can enable server-side encryption in the OSS console with either one of the following
methods:
Method 1: Enable server-side encryption when creating a bucket
- Log on to the OSS console.
- On the Overview page of the OSS console, click Create Bucket.
- In the Create Bucket dialog box that appears, set corresponding parameters.
Set
Server-side Encryption to one of the following options. For the settings of other parameters, see
Create a bucket.
- None: Server-side encryption is disabled.
- AES256: Objects are encrypted by using AES-256. OSS server-side encryption uses AES-256
to encrypt objects with different data keys. AES-256 uses master keys that are regularly
rotated to encrypt data keys.
- KMS: You can use a specified CMK ID or the default CMK stored in KMS to encrypt or decrypt
data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS.
- alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the
objects when they are downloaded.
- CMK ID: The keys generated by a specified CMK are used to encrypt different objects and
the specified CMK ID is recorded in the metadata of the encrypted object. Objects
are decrypted when they are downloaded by users who have decryption permissions. Before
specifying a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console. This feature is in public preview. To obtain the related permissions, contact technical support personnel.
Notice
- Before using the KMS-based encryption, you must activate KMS.
- You are charged for calling API operations when you use CMKs to encrypt or decrypt
data.
- Click OK.
Method 2: Enable server-side encryption on the Basic Settings tab
- Log on to the OSS console.
- Click the target bucket and find the Server-side Encryption section.
- New console
- Click Buckets, and then click the name of the target bucket.
- Choose .
- Old console
- In the left-side navigation pane, click the name of the target bucket.
- Click the Basic Settings tab. Find the Server-side Encryption section.
- Click Configure.
- None: Server-side encryption is disabled.
- AES256: Objects are encrypted by using AES-256. OSS server-side encryption uses AES-256
to encrypt objects with different data keys. AES-256 uses master keys that are regularly
rotated to encrypt data keys.
- KMS: You can use a specified CMK ID or the default CMK stored in KMS to encrypt or decrypt
data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS.
- alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the
objects when they are downloaded.
- CMK ID: The keys generated by a specified CMK are used to encrypt different objects and
the specified CMK ID is recorded in the metadata of the encrypted object. Objects
are decrypted when they are downloaded by users who have decryption permissions. Before
specifying a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console. This feature is in public preview. To obtain the related permissions, contact technical support personnel.
Notice
- Before using the KMS-based encryption, you must activate KMS.
- You are charged for calling API operations when you use CMKs to encrypt or decrypt
data.
- Click Save.
Notice The configurations of the default encryption method for a bucket do not affect the
existing objects in the bucket.