OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS automatically decrypts the data and returns the original data to the user. The returned HTTP request header declares that the data has been encrypted on the server.

Notice Server-side encryption cannot automatically encrypt data retrieved by the mirroring-based back-to-origin feature.

Scenarios

OSS protects static data through server-side encryption. This method is suited for scenarios that require additional security or compliance for object storage. Examples include the storage of deep learning samples and online collaborative documents. You can choose either of the following methods to implement server-side encryption depending on how you choose to manage the encryption keys:

  • Implement server-side encryption with CMKs stored in KMS (SSE-KMS)
    When uploading an object, you can use a specified CMK ID or the default CMK stored in KMS to encrypt and decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server through networks for encryption and decryption.
    Notice You will be charged for making API calls when you use CMKs to encrypt or decrypt data.
  • Implement server-side encryption with OSS-managed keys (SSE-OSS)

    This encryption method is an attribute of objects. In this method, OSS server-side encryption uses AES-256 to encrypt objects with different data keys. Master keys used to encrypt data keys are rotated regularly. This method is suited to encrypt and decrypt multiple objects at a time.

Notice Only one server-side encryption method can be used for an object at a time.

Implementation modes

Implementation mode Description
Console A user-friendly and intuitive Web application
ossutil A high-performance command-line tool
Java SDK SDK demos for various programming languages
Python SDK
Go SDK

Principles

  • Server-side encryption through CMKs stored in KMS

    KMS is a secure and easy-to-use management service provided by Alibaba Cloud. KMS ensures the privacy, integrity, and availability of your keys at minimal cost and allows you to securely and conveniently use keys. You can develop encryption and decryption solutions that best suit your needs. You can view and manage keys in the KMS console.

    KMS encrypts data based on AES-256 and stores and manages CMKs used to encrypt data keys. KMS also generates data keys that can be used to encrypt and decrypt large amounts of data. Envelope encryption provided by KMS can protect your data and corresponding data keys from unauthorized access.

    The following figure shows the logic of SSE-KMS.BYOK
    You can use the following methods to generate a CMK:
    • Use CMKs stored in KMS

      You can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to KMS without specifying a CMK ID. In this method, OSS generates different keys to encrypt different objects by using the default CMK stored in KMS, and automatically decrypts the object when it is downloaded.

    • Use BYOK to implement CMKs

      Server-side encryption supports Bring Your Own Key (BYOK). You can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to KMS, and set X-OSS-server-side-encryption-key-id to a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects, and records the CMK ID of the encrypted object to the metadata of the object. When a user who has decryption permissions downloads the object, OSS automatically decrypts the object.

      You can import your BYOK material into KMS as the CMK as follows:
      • BYOK material provided by Alibaba Cloud: When creating a key on KMS, you can select Alibaba Cloud KMS as the source of the key material.
      • BYOK material provided by the user: When creating a key on KMS, you can select the source of the key material as external and import external key material as required. For more information about how to import key material, see Import key materials.
      Notice
      • This feature is in public preview. To obtain the related permissions, contact technical support personnel.
      • Objects encrypted using BYOK cannot be copied to buckets in other regions.
      • If you use a CMK to encrypt an object, the data key used for encryption is also encrypted and is stored as the object metadata.
      • Server-side encryption that uses the default CMK stored in KMS only encrypts the data in the object. The metadata of the object is not encrypted.
      • To use a RAM user account to encrypt objects through a specified CMK, you must grant the relevant permissions to the RAM user account. For more information, see Use RAM to authorize KMS resources.
  • Server-side encryption through OSS-managed keys

    In this method, OSS generates and manages the keys used for data encryption, and provides strong and multi-factor security measures to protect data. OSS server-side encryption uses AES-256, one of the strongest block ciphers available, to encrypt your data.

    This encryption method is an attribute of objects. To perform server-side encryption on an object, you can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When sending a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to AES256.

Permissions

To use server-side encryption with a RAM user account, you must have the following permissions:
  • To configure the default encryption method for a bucket, you must have:
    • The management permission on the bucket.
    • The permission to perform the PutBucketEncryption and GetBucketEncryption operations.
    • The permission to perform the ListKeys, Listalias, ListAliasesByKeyId, and DescribeKeys operations when you use a specified CMK ID to encrypt data. The RAM policy that specifies the permissions associated with CMK IDs is as follows:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey"    
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" //This example allows the user to use all CMKs under the account. To restrict the user to use a CMK, enter the CMK ID.
            ]
          }
        ]
      }
  • To upload an object to a bucket with the default encryption method configured, you must have:
    • The permission to upload objects to the bucket.
    • The permission to perform the ListKeys, Listalias, ListAliasesByKeyId, DescribeKeys, and GenerateDataKey operations when you use a specified CMK ID to encrypt data. Otherwise, the object fails to be uploaded. The RAM policy that specifies the permissions associated with CMK IDs is as follows:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey",
              "kms:GenerateDataKey"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*"//This example allows the user to use all CMKs under the account. To restrict the user to use a CMK, enter the CMK ID.
            ]
          }
        ]
      }
  • To download an object from a bucket with the default encryption method configured, you must have:
    • The permission to access objects in the bucket.
    • The permission to perform the Decrypt operation when you use a specified CMK ID to decrypt data. Otherwise, the object fails to be downloaded. The RAM policy that specifies the permissions associated with CMK IDs is as follows:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
          "kms:Decrypt"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*"//This example indicates that the RAM user has the permission to decrypt data by using all CMKs. To decrypt data by using a specified CMK, enter the CMK ID.
            ]
          }
        ]
      }