OSS supports server-side encryption for uploaded data. This means that when user data is uploaded, OSS encrypts the data and permanently stores the data. Then, when the data is downloaded by a user, OSS automatically decrypts the data, returns the original data to the user, and declares in the header of the response that the data has been encrypted on the server.

The following server-side encryption methods are available for different application scenarios:
  • Server-side encryption that uses CMKs managed by KMS for encryption and decryption (SSE-KMS)
    When uploading an object, you can use a specified CMK ID or the default CMK managed by KMS to encrypt and decrypt a large amount of data. This method is cost-effective because you do not need to send user data to the KMS server through networks for encryption and decryption.
    Notice API calling fees are incurred if you use CMKs to encrypt or decrypt data.
  • Server-side encryption fully managed by OSS (SSE-OSS)

    When you upload an object, OSS encrypts the object on the server side by using AES256 fully managed by OSS. In this method, OSS uses AES256 to encrypt each object with an individual key. Furthermore, the individual keys are encrypted by a CMK that is updated periodically for higher security. This method applies to encrypt or decrypt bulk data.

Notice
  • Only one server-side encryption method can be used for an object at one time.
  • If you configure server-side encryption for a bucket, you can still configure the encryption method for a single object when uploading or copying it. In this case, the encryption method configured for the object takes precedence. For more information, see PutObject.
  • For more information about server-side encryption, see Server-side encryption.

Configure server-side encryption for buckets

You can run the following code to configure the default encryption method for a bucket. After the method is configured, all objects that are uploaded to the bucket without their encryption methods configured are encrypted in the configured default encryption method.

const OSS = require("ali-oss");

const client = new OSS({
  region: "<yourRegion>",
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create your RAM user, log on to https://ram.console.aliyun.com.
  accessKeyId: "<yourAccessKeyId>",
  accessKeySecret: "<yourAccessKeySecret>",
  bucket: "<yourBucketName>"
});

async function putBucketEncryption() {
  try {
    // Configure an encryption method for the bucket.    

    let result = await store.putBucketEncryption("bucket-name", {
      SSEAlgorithm: "AES256", // The AES-256 encryption method is configured here as an example. To use KMS for encryption, you must configure KMSMasterKeyID.
      // KMSMasterKeyID: "<yourKMSMasterKeyId>". Configure the CMK ID when SSEAlgorithm is set to KMS and a specified CMK is used for encryption. In other cases, this parameter must be set to null.
    });
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

putBucketEncryption();

For more information about how to configure server-side encryption for a bucket, see PutBucketEncryption.

Query the server-side encryption configurations of buckets

You can run the following code to query the server-side encryption configurations of a bucket:

const OSS = require("ali-oss");

const client = new OSS({
  region: "<yourRegion>",
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create your RAM user, log on to https://ram.console.aliyun.com.
  accessKeyId: "<yourAccessKeyId>",
  accessKeySecret: "<yourAccessKeySecret>",
  bucket: "<yourBucketName>"
});

async function getBucketEncryption() {
  try {
    let result = await store.getBucketEncryption("bucket-name");
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

getBucketEncryption();

For more information about how to query the server-side encryption configurations of a bucket, see GetBucketEncryption.

Delete the server-side encryption configurations of a bucket

You can run the following code to delete the server-side encryption settings of a bucket:

const OSS = require("ali-oss");

const client = new OSS({
  region: "<yourRegion>",
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create your RAM user, log on to https://ram.console.aliyun.com.
  accessKeyId: "<yourAccessKeyId>",
  accessKeySecret: "<yourAccessKeySecret>",
  bucket: "<yourBucketName>"
});

async function deleteBucketEncryption() {
  try {
    // Delete the server-side encryption configurations of the bucket.
    let result = await store.deleteBucketEncryption("bucket-name");
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

deleteBucketEncryption();

For more information about how to delete the server-side encryption configurations of a bucket, see DeleteBucketEncryption.