OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the original data. The returned HTTP request header declares that the data is encrypted on the server.

Notice Server-side encryption cannot automatically encrypt data retrieved by using mirroring-based back-to-origin.

Scenarios

OSS protects static data by using server-side encryption. You can use this method for scenarios that require additional security or compliance such as storage of deep learning samples and online collaborative documents. OSS allows you to use the following server-side encryption methods for different scenarios:

  • Server-side encryption by using KMS (SSE-KMS)
    You can use a specified CMK ID or the default CMK stored in KMS to encrypt or decrypt large amounts of data when you upload objects. This method is cost-effective because you do not need to send user data to the KMS server by using networks for encryption and decryption.
    Notice You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see KMS pricing.
  • Server-side encryption by using OSS-managed keys (SSE-OSS)

    This encryption method is an attribute of objects. In this method, OSS server-side encryption uses AES-256 to encrypt objects by using different data keys. Master keys used to encrypt data keys are rotated regularly. You can use this method to encrypt and decrypt multiple objects at a time.

Notice Only one server-side encryption method can be used for an object at a time.

Implementation modes

Implementation mode Description
Console A user-friendly and intuitive web application
ossutil A high-performance command-line tool
Java SDK SDK demos for various programming languages
Python SDK
Go SDK

Principles

  • Server-side encryption by using CMKs stored in KMS

    KMS is a secure and easy-to-use management service provided by Alibaba Cloud. KMS ensures the privacy, integrity, and availability of your keys at minimal cost and allows you to securely and conveniently use keys. You can develop encryption and decryption solutions that best suit your needs. You can view and manage keys in the KMS console.

    KMS encrypts data based on AES-256 and stores and manages CMKs used to encrypt data keys. KMS also generates data keys that can be used to encrypt and decrypt large amounts of data. Envelope encryption provided by KMS can protect your data and corresponding data keys from unauthorized access.

    The following figure shows the logic of server-side encryption based on SSE-KMS. Encryption
    You can use the following methods to generate a CMK:
    • Use CMKs stored in KMS

      You can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When you send a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to KMS without specifying a CMK ID. In this method, OSS generates different keys to encrypt different objects by using the default CMK stored in KMS, and automatically decrypts an object when the object is downloaded.

    • Use BYOK

      Server-side encryption supports Bring Your Own Key (BYOK). You can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When you send a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to KMS, and set X-OSS-server-side-encryption-key-id to a CMK ID. OSS uses the specified CMK to generate different keys to encrypt different objects, and records the CMK ID of the encrypted object to the metadata of the object. When a user who has decryption permissions to download the object, OSS automatically decrypts the object.

      You can import your BYOK material into KMS as the CMK:
      • BYOK material provided by Alibaba Cloud: When you create a key on KMS, you can select Alibaba Cloud KMS as the source of the key material.
      • BYOK material provided by the user: When you create a key on KMS, you can select the source of the key material as external and import the external key material. For more information about how to import the key material, see Import and delete key material.
      Notice
      • If you use a CMK to encrypt an object, the data key used for encryption is also encrypted and is stored as the object metadata.
      • Server-side encryption that uses the default CMK stored in KMS only encrypts the data in the object. The metadata of the object is not encrypted.
      • To use a RAM user's credentials to encrypt objects by using a specified CMK, you must grant the relevant permissions to the RAM user's credentials. For more information, see Use RAM to authorize KMS resources.
  • Server-side encryption by using OSS-managed keys

    In this method, OSS generates and manages the keys used for data encryption, and provides strong and multi-factor security measures to protect data. OSS server-side encryption uses AES-256, one of the strongest block ciphers available to encrypt your data.

    This encryption method is an attribute of objects. To perform server-side encryption on an object, you can set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. When you send a request to upload an object or modify the metadata of an object, you can include the X-OSS-server-side-encryption field in the request and set its value to AES256.

Description

To use server-side encryption by using a RAM user's credentials, you must have the following permissions:
  • To configure the default encryption method for a bucket, you must have the following permissions:
    • The management permissions on the bucket.
    • The permissions to perform the PutBucketEncryption and GetBucketEncryption operations.
    • The permissions to perform the ListKeys, Listalias, ListAliasesByKeyId, and DescribeKeys operations when you use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey"    
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID.
            ]
          }
        ]
      }
  • To upload an object to a bucket by using the default encryption method configured, you must have the following permissions:
    • The permissions to upload objects to the bucket.
    • The permissions to perform the ListKeys, Listalias, ListAliasesByKeyId, DescribeKeys, and GenerateDataKey operations when you use a specified CMK ID to encrypt data. Otherwise, the object fails to be uploaded. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey",
              "kms:GenerateDataKey"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID.
            ]
          }
        ]
      }
  • To download an object from a bucket by using the default encryption method configured, you must have the following permissions:
    • The permissions to access objects in the bucket.
    • The permissions to perform the Decrypt operation when you use a specified CMK ID to decrypt data. Otherwise, the object fails to be downloaded. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
          "kms:Decrypt"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the RAM user has the permissions to decrypt data by using all CMKs. To decrypt data by using a specified CMK, enter the CMK ID.
            ]
          }
        ]
      }

FAQ

Does OSS encrypt data of existing objects after I configure server-side encryption?

After you configure server-side encryption, OSS encrypts data for objects you want to upload and does not encrypt data of existing objects. If you want to encrypt data of existing objects, you can upload existing objects.