OSS provides server-side encryption, client-side encryption, and encrypted transmission based on SSL or TLS to protect data from potential security risks on the cloud.

Server-side encryption

OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the original data. A header is added to the response to declare that the data is encrypted on the server.

OSS uses server-side encryption to protect static data. This method is suitable for scenarios where high security or strong compliance is required for object storage. Examples include the storage of deep learning samples and online collaborative documents. You can choose either of the following methods to implement server-side encryption depending on how you choose to manage the encryption keys:
  • Server-side encryption that uses CMKs stored in KMS (SSE-KMS)

    When you upload an object, you can use a specified CMK ID or the default CMK stored in KMS to encrypt and decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server through networks for encryption and decryption.

    KMS is a secure and easy-to-use management service provided by Alibaba Cloud. KMS ensures the privacy, integrity, and availability of your keys at minimal cost and allows you to securely and conveniently use keys. You can develop encryption and decryption solutions that best suit your needs. You can view and manage your keys in the KMS console.

    KMS encrypts data based on AES-256 and stores and manages CMKs used to encrypt data keys. KMS also generates data keys that can be used to encrypt and decrypt large amounts of data. Envelope encryption provided by KMS can protect your data and corresponding data keys from unauthorized access. You can use the default CMK stored in KMS or generate a CMK by using your BYOK materials or BYOK materials provided by Alibaba Cloud.

  • Server-side encryption that uses OSS-managed keys (SSE-OSS)

    This encryption method is an attribute of objects. OSS server-side encryption uses AES-256 to encrypt objects with different data keys. CMKs used to encrypt data keys are rotated regularly. This method is suitable to encrypt and decrypt multiple objects at a time.

    In this method, data keys are generated and managed by OSS. To perform server-side encryption on an object, you can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When sending a request to upload an object or modify the metadata of an object, you can include the x-oss-server-side-encryption field in the request and set its value to AES256.

For more information, see Server-side encryption.

Client-side encryption

Client-side encryption is performed to encrypt objects on the local client before they are uploaded to OSS. When you use client-side encryption, you must ensure the integrity and validity of the CMK. When you copy or migrate encrypted data, you must ensure the integrity and validity of the object metadata related to client-side encryption.

In client-side encryption, a random data key is generated for each object to perform symmetric encryption on the object. The client uses a CMK to encrypt the random data key. The encrypted data key is uploaded as a part of the object metadata and stored in the OSS server. When an encrypted object is downloaded, the client uses the CMK to decrypt the random data key and then uses the data key to decrypt the object. The CMK is used only on the client and is not transmitted over the network or stored in the server, which ensures data security.

You can use CMKs managed in one of the following ways:
  • Use KMS-managed CMKs

    If you use KMS-managed CMKs for client-side encryption, you need only to specify the CMK ID when uploading objects instead of providing the client with a data key.

  • Use customer-managed CMKs

    To use this method for client-side encryption, you must generate and manage CMKs by yourself. When you implement client-side encryption on an object to upload, you must upload a symmetric or asymmetric CMK to the client.

For more information, see Client-side encryption.

Encrypted transmission based on SSL or TLS

OSS supports access through HTTP and HTTPS. You can configure a bucket policy to allow only access through HTTPS (TLS) for better security in data transmission. Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end communications security over networks. For more information, see Use bucket policies to authorize other users to access OSS resources.