OSS supports server-side encryption. When you upload an object to a bucket for which server-side encryption is enabled, OSS encrypts the object and stores the encrypted object. When you download the encrypted object from OSS, OSS automatically decrypts the object and returns the decrypted object to you. A header is added in the response to indicate that the object is encrypted on the OSS server.

Background information

OSS supports the following encryption methods:
  • Server-side encryption by using KMS (SSE-KMS)
    OSS uses the default Customer Master Key (CMK) managed by KMS or a specified CMK to encrypt objects. The CMK is managed by KMS to ensure confidentiality, integrity, and availability at minimal costs.
    Notice You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
  • Server-side encryption by using OSS-managed keys (SSE-OSS)

    OSS uses data keys to encrypt objects and manages the data keys. In addition, OSS uses master keys that are regularly rotated to encrypt data keys.

For more information about server-side encryption, see Server-side encryption. You can enable server-side encryption in the OSS console by using one of the following methods:

Method 1: Enable server-side encryption when you create a bucket

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
  3. In the Create Bucket panel, configure the parameters.
    Configure the following parameters in the Server-side Encryption field.
    • Encryption Method: Select an encryption method for the object.
      • None: disables server-side encryption.
      • OSS-Managed: uses keys managed by OSS for encryption. OSS uses data keys to encrypt objects and manages the data keys. In addition, OSS uses master keys that are regularly rotated to encrypt data keys.
      • KMS: uses the default CMK stored in KMS or a specified CMK ID to encrypt and decrypt data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS (SSE-KMS).
        Notice
        • Before you use the KMS-based encryption, you must activate KMS.
        • You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
    • Encryption algorithm:Only AES-256 is supported.
    • CMK: You can configure this parameter if you select KMS in the Encryption Method section. You can configure the following parameters for a CMK:
      • alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
      • CMK ID: The keys generated by a specified CMK are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who are granted decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console.

    For other parameters, see Create buckets.

  4. Click OK.

Method 2: Enable server-side encryption for an existing bucket

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. Choose Basic Settings > Server-side Encryption.
  4. Click Configure.
    You can configure the following parameters to enable server-side encryption:
    • Encryption Method: Select an encryption method for the object.
      • None: disables server-side encryption.
      • OSS-Managed: uses keys managed by OSS for encryption. OSS uses data keys to encrypt objects and manages the data keys. In addition, OSS uses master keys that are regularly rotated to encrypt data keys.
      • KMS: uses the default CMK stored in KMS or a specified CMK ID to encrypt and decrypt data. For more information about KMS-based encryption, see Implement server-side encryption with CMKs stored in KMS (SSE-KMS).
        Notice
        • Before you use the KMS-based encryption, you must activate KMS.
        • You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
    • Encryption algorithm:Only AES-256 is supported.
    • CMK: You can configure this parameter if you select KMS in the Encryption Method section. You can configure the following parameters for a CMK:
      • alias/acs/oss: The default CMK stored in KMS is used to encrypt different objects and decrypt the objects when they are downloaded.
      • CMK ID: The keys generated by a specified CMK are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted when they are downloaded by users who are granted decryption permissions. Before you specify a CMK ID, you must create a normal key or an external key in the same region as the bucket in the KMS console.
  5. Click Save.
    Notice The configurations of the default encryption method for a bucket do not affect the encryption configurations of the existing objects in the bucket.