OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the original data. The returned HTTP request header declares that the data has been encrypted on the server.

OSS provides two methods of server-side encryption:
  • Server-side encryption with CMKs stored in KMS (SSE-KMS)
    When you upload objects to OSS, you can use a specified CMK ID or a CMK stored in KMS to encrypt data. This method is cost-effective because you do not need to send user data to the KMS server over networks for encryption and decryption.
    Notice You are charged for making API calls when you use CMKs to encrypt or decrypt data.
  • Server-side encryption with OSS-managed keys (SSE-OSS)

    When you upload objects to OSS, the OSS server uses the fully managed 256-bit AES keys to encrypt data. Each object is encrypted with a unique data key. The data key is further encrypted using a master key that is rotated on a regular basis to ensure the security of the data.

Notice
  • Only one server-side encryption method can be used for an object at a time.
  • If you configure server-side encryption for a bucket, you can still configure an encryption method for individual objects in the bucket when uploading or copying objects. In this case, the encryption method configured for the object takes precedence. For more information, see PutObject.
  • For more information about server-side encryption, see Server-side encryption.

Configure server-side encryption for a bucket

You can use the following code to configure the default encryption method for a bucket. The encryption method of the bucket applies to all uploaded objects that do not have the encryption method configured.

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    /*Initialize the OSS account information.*/
    std::string AccessKeyId = "yourAccessKeyId";
    std::string AccessKeySecret = "yourAccessKeySecret";
    std::string Endpoint = "yourEndpoint";
    std::string BucketName = "yourBucketName";

    /*Initialize network resources.*/
    InitializeSdk();

    ClientConfiguration conf;
    OssClient client(Endpoint, AccessKeyId, AccessKeySecret, conf);

    SetBucketEncryptionRequest setrequest(BucketName);
    setrequest.setSSEAlgorithm(SSEAlgorithm::KMS);
undefined   /*Configure KMS-based server-side encryption for a bucket.*/
    auto outcome = client.SetBucketEncryption(setrequest);

    if (! outcome.isSuccess()) {
        /* Handle exceptions. */
        std::cout << "SetBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        ShutdownSdk();
        return -1;
    }

    /*Release network resources.*/
    ShutdownSdk();
    return 0;
}

Obtain the encryption configurations of a bucket

Use the following code to obtain the encryption configurations of a bucket:

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    /*Initialize the OSS account information.*/
    std::string AccessKeyId = "yourAccessKeyId";
    std::string AccessKeySecret = "yourAccessKeySecret";
    std::string Endpoint = "yourEndpoint";
    std::string BucketName = "yourBucketName";

    /*Initialize network resources.*/
    InitializeSdk();

    ClientConfiguration conf;
    OssClient client(Endpoint, AccessKeyId, AccessKeySecret, conf);

    /*Obtain the server-side encryption configurations of a bucket.*/   
    GetBucketEncryptionRequest request(BucketName);   
    auto outcome = client.GetBucketEncryption(request);

    if (! outcome.isSuccess()) {
        /* Handle exceptions. */
        std::cout << "GetBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        ShutdownSdk();
        return -1;
    }

    /*Release network resources.*/
    ShutdownSdk();
    return 0;
}

Delete the encryption configurations for a bucket

Use the following code to delete the encryption configurations for a bucket:

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    /*Initialize the OSS account information.*/
    std::string AccessKeyId = "yourAccessKeyId";
    std::string AccessKeySecret = "yourAccessKeySecret";
    std::string Endpoint = "yourEndpoint";
    std::string BucketName = "yourBucketName";

    /*Initialize network resources.*/
    InitializeSdk();

    ClientConfiguration conf;
    OssClient client(Endpoint, AccessKeyId, AccessKeySecret, conf);

    /*Delete the server-side encryption configurations for a bucket.*/   
    DeleteBucketEncryptionRequest request(BucketName);   
    auto outcome = client.DeleteBucketEncryption(request);

    if (! outcome.isSuccess()) {
        /* Handle exceptions. */
        std::cout << "DeleteBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        ShutdownSdk();
        return -1;
    }

    /*Release network resources.*/
    ShutdownSdk();
    return 0;
}