Object Storage Service (OSS) supports server-side encryption. When you upload objects, OSS encrypts and stores the data. When you download objects, OSS decrypts the data and returns the original data. The returned HTTP request header indicates that the data is encrypted on the server side.

Notice Server-side encryption cannot automatically encrypt data retrieved by using mirroring-based back-to-origin.

Encryption methods

OSS protects static data by using server-side encryption. You can use this method in scenarios that require additional security or compliance such as the storage of deep learning samples and online collaborative documents.

Only one server-side encryption method can be used for an object at a time. OSS allows you to use the following server-side encryption methods in different scenarios:
  • Server-side encryption by using Key Management Service (SSE-KMS)
    You can use a default customer master key (CMK) or specify a CMK to encrypt or decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server over networks to encrypt and decrypt data.
    Notice
    • You are charged when you call API operations to encrypt or decrypt data by using CMKs. For more information about the fees, see KMS pricing.
    • The key used to encrypt the object is also encrypted and written into the metadata of the object.
    • Server-side encryption that uses the default CMK (SSE-KMS) only encrypts the data in the object. The metadata of the object is not encrypted.
  • Server-side encryption by using OSS-managed keys (SSE-OSS)

    You can use SSE-OSS to encrypt each object. To improve security, OSS uses master keys to encrypt data keys that are rotated on a regular basis. You can use this method to encrypt and decrypt multiple objects at a time.

Implementation modes

Implementation mode Description
Console A user-friendly and intuitive web application
ossutil A high-performance command-line tool
Java SDK SDK demos for various programming languages
Python SDK
Go SDK

Server-side encryption by using CMKs stored in KMS

You can use a CMK stored in KMS to generate CMK encrypted data. The envelope encryption mechanism further prevents unauthorized data access. KMS eliminates the need to manually maintain the security, integrity, and availability of your keys. You need only to focus on data encryption, data decryption, and digital signature generation and verification based on your business requirements.

The following figure shows the logic of server-side encryption based on SSE-KMS. key1
When you use SSE-KMS to encrypt data, you can use the following keys:
  • Use CMKs stored in KMS

    In this method, OSS generates different keys to encrypt different objects by using the default CMK stored in KMS, and automatically decrypts an object when the object is downloaded. OSS creates a CMK on the KMS platform when you use SSE-OSS for the first time.

    You can use the following configuration methods:

    • Configure the default server-side encryption method for a bucket

      Set the default server-side encryption method for a bucket to KMS,but do not specify a CMK ID. Objects uploaded to this bucket are encrypted.

    • Configure an encryption method for a specified object

      When you upload an object or modify the metadata of an object, the x-oss-server-side-encryption parameter is included in the request and the parameter value is set to KMS. In this case, OSS uses the default CMK stored in KMS and uses the AES-256 encryption algorithm to encrypt the object.For more information, see PutObject.

  • Use Bring Your Own Key (BYOK)

    After you use the BYOK material in the KMS console to generate a CMK, the keys generated by a specified CMK stored in KMS are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted only when they are downloaded by users who have the permissions to decrypt the objects.

    You can import your BYOK material into KMS as the CMK:
    • BYOK material provided by Alibaba Cloud: When you create a key on KMS, you can select Alibaba Cloud KMS as the source of the key material.
    • BYOK material provided by the user: When you create a key on KMS, you can select the source of the key material as external and import the external key material. For more information about how to import the key material, see Import key material.
    You can use the following configuration methods:
    • Configure the default server-side encryption method for a bucket

      Set the default server-side encryption method for a bucket to KMS,and specify the CMK ID. Objects uploaded to this bucket are encrypted.

    • Configure an encryption method for the requested object

      When you upload an object or modify the metadata of an object, the x-oss-server-side-encryption parameter is included in the request and the parameter value is set to KMS. The KMS parameter is included in the request, and the parameter value is set to specified CMK ID. In this case, OSS uses the specified CMK stored in KMS and the AES-256 encryption algorithm to encrypt the object.For more information, see PutObject.

Server-side encryption by using OSS-managed keys

OSS generates and manages the keys used to encrypt data, and provides strong and multi-factor security measures to protect data. OSS server-side encryption uses AES-256, one of the advanced encryption standard ciphersavailable to encrypt your data.

You can use the following configuration methods:

  • Configure the default server-side encryption method for a bucket

    By default, the bucket encryption method is fully managed by OSS and uses the AES-256 encryption algorithm. By default, all objects uploaded to this bucket are encrypted.

  • Configure an encryption method for the requested object

    When you upload an object or modify the metadata of an object, the x-oss-server-side-encryption parameter is included in the request and the parameter value is set to AES256. The requested object is encrypted by using the OSS-managed key. For more information, see PutObject.

Permissions

To use server-side encryption by using the credentials of a RAM user in the following scenarios, you must have the following permissions:
  • To configure the default encryption method for a bucket, you must have the following permissions:
    • The permissions to manage the bucket.
    • The permissions to perform the PutBucketEncryption and GetBucketEncryption operations.
    • The permissions to perform the ListKeys, Listalias, ListAliasesByKeyId, and DescribeKeys operations when you set the encryption method to SSE-KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs: 
      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:DescribeKey"    
      ],
      "Resource": [
        "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID.
      ]
    }
  ]
}
  • To upload an object to a bucket by using the encryption method that you configured, you must have the following permissions:
    • The permissions to upload objects to the bucket.
    • The permissions to perform the ListKeys, Listalias, ListAliasesByKeyId, DescribeKeys, and GenerateDataKey operations when you set the encryption method to KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs: 
      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": [
        "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. To specify that only a CMK is available, enter the CMK ID.
      ]
    }
  ]
}
  • To download an object from a bucket by using the encryption method that you configured, you must have the following permissions:
    • The permissions to access objects in the bucket.
    • The permissions to perform the Decrypt operation when you set the encryption method to KMS and use a specified CMK ID to encrypt data. The following RAM policy provides an example on how to specify the permissions associated with CMK IDs:
      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
    "kms:Decrypt"
      ],
      "Resource": [
        "acs:kms:*:1416614965936597:*" // In this example, the RAM user has the permissions to decrypt data by using all CMKs. To decrypt data by using a specified CMK, enter the CMK ID.
      ]
    }
  ]
}

FAQ

Does OSS encrypt data of existing objects after I configure server-side encryption?

After you configure server-side encryption, OSS encrypts data for objects you want to upload and does not encrypt data of existing objects. If you want to encrypt data of existing objects, you can call the CopyObject operation to overwrite existing objects.