Object Storage Service (OSS) supports server-side encryption. When you upload objects, OSS encrypts and stores the data. When you download objects, OSS decrypts the data and returns the original data. The returned HTTP request header indicates that the data is encrypted on the server side.
Encryption methods
OSS protects static data by using server-side encryption. You can use this method in scenarios that require additional security or compliance such as the storage of deep learning samples and online collaborative documents.
- Server-side encryption by using Key Management Service (SSE-KMS)
You can use a default customer master key (CMK) or specify a CMK to encrypt or decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server over networks to encrypt and decrypt data.Notice
- You are charged when you call API operations to encrypt or decrypt data by using CMKs. For more information about the fees, see KMS pricing.
- The key used to encrypt the object is also encrypted and written into the metadata of the object.
- Server-side encryption that uses the default CMK (SSE-KMS) only encrypts the data in the object. The metadata of the object is not encrypted.
- Server-side encryption by using OSS-managed keys (SSE-OSS)
You can use SSE-OSS to encrypt each object. To improve security, OSS uses master keys to encrypt data keys that are rotated on a regular basis. You can use this method to encrypt and decrypt multiple objects at a time.
Implementation modes
Implementation mode | Description |
---|---|
Console | A user-friendly and intuitive web application |
ossutil | A high-performance command-line tool |
Java SDK | SDK demos for various programming languages |
Python SDK | |
Go SDK |
Server-side encryption by using CMKs stored in KMS
You can use a CMK stored in KMS to generate CMK encrypted data. The envelope encryption mechanism further prevents unauthorized data access. KMS eliminates the need to manually maintain the security, integrity, and availability of your keys. You need only to focus on data encryption, data decryption, and digital signature generation and verification based on your business requirements.

- Use CMKs stored in KMS
In this method, OSS generates different keys to encrypt different objects by using the default CMK stored in KMS, and automatically decrypts an object when the object is downloaded. OSS creates a CMK on the KMS platform when you use SSE-OSS for the first time.
You can use the following configuration methods:
- Configure the default server-side encryption method for a bucket
Set the default server-side encryption method for a bucket to KMS,but do not specify a CMK ID. Objects uploaded to this bucket are encrypted.
- Configure an encryption method for a specified object
When you upload an object or modify the metadata of an object, the
x-oss-server-side-encryption
parameter is included in the request and the parameter value is set toKMS
. In this case, OSS uses the default CMK stored in KMS and uses the AES-256 encryption algorithm to encrypt the object.For more information, see PutObject.
- Configure the default server-side encryption method for a bucket
- Use Bring Your Own Key (BYOK)
After you use the BYOK material in the KMS console to generate a CMK, the keys generated by a specified CMK stored in KMS are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted only when they are downloaded by users who have the permissions to decrypt the objects.
You can import your BYOK material into KMS as the CMK:- BYOK material provided by Alibaba Cloud: When you create a key on KMS, you can select Alibaba Cloud KMS as the source of the key material.
- BYOK material provided by the user: When you create a key on KMS, you can select the source of the key material as external and import the external key material. For more information about how to import the key material, see Import key material.
You can use the following configuration methods:- Configure the default server-side encryption method for a bucket
Set the default server-side encryption method for a bucket to KMS,and specify the CMK ID. Objects uploaded to this bucket are encrypted.
- Configure an encryption method for the requested object
When you upload an object or modify the metadata of an object, the
x-oss-server-side-encryption
parameter is included in the request and the parameter value is set toKMS
. TheKMS
parameter is included in the request, and the parameter value is set to specified CMK ID. In this case, OSS uses the specified CMK stored in KMS and the AES-256 encryption algorithm to encrypt the object.For more information, see PutObject.
Server-side encryption by using OSS-managed keys
OSS generates and manages the keys used to encrypt data, and provides strong and multi-factor security measures to protect data. OSS server-side encryption uses AES-256, one of the advanced encryption standard ciphersavailable to encrypt your data.
You can use the following configuration methods:
- Configure the default server-side encryption method for a bucket
By default, the bucket encryption method is fully managed by OSS and uses the AES-256 encryption algorithm. By default, all objects uploaded to this bucket are encrypted.
- Configure an encryption method for the requested object
When you upload an object or modify the metadata of an object, the
x-oss-server-side-encryption
parameter is included in the request and the parameter value is set toAES256
. The requested object is encrypted by using the OSS-managed key. For more information, see PutObject.
Permissions
- To configure the default encryption method for a bucket, you must have the following
permissions:
- The permissions to manage the bucket.
- The permissions to perform the
PutBucketEncryption
andGetBucketEncryption
operations. - The permissions to perform the
ListKeys
,Listalias
,ListAliasesByKeyId
, andDescribeKeys
operations when you set the encryption method to SSE-KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:DescribeKey" ], "Resource": [ "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID. ] } ] }
- To upload an object to a bucket by using the encryption method that you configured,
you must have the following permissions:
- The permissions to upload objects to the bucket.
- The permissions to perform the
ListKeys
,Listalias
,ListAliasesByKeyId
,DescribeKeys
, andGenerateDataKey
operations when you set the encryption method to KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": [ "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID. ] } ] }
- To download an object from a bucket by using the encryption method that you configured,
you must have the following permissions:
- The permissions to access objects in the bucket.
- The permissions to perform the
Decrypt
operation when you set the encryption method to KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "acs:kms:*:1416614965936597:*" // In this example, the RAM user has the permissions to decrypt data by using all CMKs. To decrypt data by using a specified CMK, enter the CMK ID. ] } ] }
FAQ
Does OSS encrypt data of existing objects after I configure server-side encryption?
After you configure server-side encryption, OSS encrypts data for objects you want to upload and does not encrypt data of existing objects. If you want to encrypt data of existing objects, you can call the CopyObject operation to overwrite existing objects.