Configure server-side encryption - Console User Guide| Alibaba Cloud Documentation Center

Object Storage Service (OSS) allows you to configure server-side encryption. When you upload an object to a bucket for which server-side encryption is enabled, OSS encrypts the object before the object is stored. When you download the encrypted object from OSS, OSS automatically decrypts the object and returns the decrypted object. A header is added in the response to indicate that the object is encrypted on the OSS server.

Background information

OSS provides the SSE-KMS and SSE-OSS methods for you to encrypt or decrypt data. The SSE-KMS method uses customer master keys (CMKs) stored in Key Management Service (KMS) to implement server-side encryption. SSE-OSS uses OSS-managed keys to implement server-side encryption. The following table describes the differences between the two methods and the scenarios of the two methods.


Encryption method	Description	Scenario	Billing
Server-side encryption by using SSE-KMS	You can use a default CMK or specify a CMK to encrypt or decrypt data. This method is cost-effective because you do not need to send user data to the KMS server over networks for encryption or decryption.	You can specify a customer-managed CMK to meet security and compliance requirements.	KMS charges you when you call API operations to encrypt or decrypt data by using CMKs stored in KMS.
Server-side encryption by using SSE-OSS	You can use SSE-OSS to encrypt each object. To improve security, OSS uses master keys that are rotated on a regular basis to encrypt data keys.	Only basic encryption capabilities are required. You do not need to manage keys on your own.	Free of charge

For more information about how the two encryption methods work and how you can implement the two encryption methods, see Server-side encryption.

You can enable server-side encryption in the OSS console by using one of the following methods:

Method 1: Enable server-side encryption when you create a bucket
Method 2: Enable server-side encryption for an existing bucket

Method 1: Enable server-side encryption when you create a bucket

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
In the Create Bucket panel, configure the parameters.
Configure the following parameters in the Server-side Encryption section:
- Encryption Method: Select an encryption method for the bucket.
  - None: Server-side encryption is disabled.
  - OSS-Managed: Keys managed by OSS are used to encrypt objects in the bucket. OSS uses data keys to encrypt objects. In addition, OSS uses regularly rotated master keys to encrypt data keys.
  - KMS: The default CMK stored in KMS or the specified CMK ID is used to encrypt and decrypt data.
    Before you use SSE-KMS, you must activate KMS. For more information, see activate KMS.
- Encryption Algorithm:Only 256-bit Advanced Encryption Standard (AES-256) is supported.
- CMK: You can set this parameter if you select KMS in the Encryption Method section. You can configure the following parameters for a CMK:
  - alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
  - CMK ID: The keys generated by a specified CMK are used to encrypt different objects, and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who are granted decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console For more information, see Import key material.
For other parameters, see Create buckets.
Click OK.

Method 2: Enable server-side encryption for an existing bucket

Log on to the OSS console.
Click Buckets, and then click the name of the target bucket.
Choose Basic Settings > Server-side Encryption.
In the Server-side Encryption section, click Configure.
You can configure the following parameters to enable server-side encryption:
- Encryption Method: Select an encryption method for the bucket.
  - None: Server-side encryption is disabled.
  - OSS-Managed: Keys managed by OSS are used to encrypt objects in the bucket. OSS uses data keys to encrypt objects. In addition, OSS uses regularly rotated master keys to encrypt data keys.
  - KMS: The default CMK stored in KMS or the specified CMK ID is used to encrypt and decrypt data.
    Before you use SSE-KMS, you must activate KMS. For more information, see activate KMS.
- Encryption Algorithm:Only 256-bit Advanced Encryption Standard (AES-256) is supported.
- CMK: You can set this parameter if you select KMS in the Encryption Method section. You can configure the following parameters for a CMK:
  - alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
  - CMK ID: The keys generated by a specified CMK are used to encrypt different objects, and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who are granted decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console For more information, see Import key material.
Click Save.

Notice The configurations of the default encryption method for a bucket do not affect the encryption configurations of existing objects within the bucket.