All Products
Search
Document Center

Introduction to client-side encryption SDK

Last Updated: Jul 30, 2018

Data protection means to secure data transmission and protect static data. To secure data transmission, you can use SSL or client-side encryption to encrypt the data that is being uploaded to OSS or downloaded from OSS. To protect static data stored in OSS, you can use the following methods:

  • Server-side encryption
    Allow OSS to automatically encrypt data to be saved to data centers and decrypt data to be downloaded.

  • Client-side encryption
    Use a client encryption SDK to locally encrypt data before uploading the data to OSS. In this scenario, you must manually manage the encryption process and data keys.

Use a client encryption SDK

Client-side encryption means to locally encrypt data before you upload the data to OSS. You can use the following methods to manage data keys:

  • Use Key Management Service (KMS) to manage master keys.
  • Manually manage data keys.

Use KMS to manage master keys

When KMS is used to manage master keys, you do not need to upload any data keys to the OSS client-side encryption SDK. You only need to specify the master key ID (also known as CMK ID). The data encryption procedure is as follows:1

  1. Upload the object.
    After you have specified the CMK ID, the OSS encrypted SDK sends a request to the KMS server to request a data key. The data key is used to encrypt the object that you need to upload. The KMS server then randomly generates a data key and encrypted data key, and returns the keys to the OSS encrypted SDK.

  2. Encrypt data.
    After the OSS encrypted SDK receives the data key and encrypted data key, it uses the keys to encrypt the object and then uploads the object to OSS together with the encrypted data key.

  3. Download the object.
    The OSS encrypted SDK downloads the object and the metadata of the object from OSS. The metadata contains the encrypted data key.

  4. Decrypt data.
    The OSS encrypted SDK sends the encrypted data key and CMK ID to the KMS server. The KMS server then uses the corresponding CMK to decrypt the object and then returns the data key to the OSS encrypted SDK.

Note:

  • The OSS encrypted SDK requests a unique encrypted data key for each object to be uploaded.
  • To guarantee data security, we recommend that you periodically replace or update the CMK.
  • You have to manually maintain the CMK ID to object mappings.

Manually manage data keys

This method requires you to manually generate and manage data keys. During the client-side encryption process, you must upload a master key (symmetric or asymmetric key) to the client-side encryption SDK. The data encryption procedure is as follows:

2

  1. Upload the object.
    You must first upload a master key (symmetric or asymmetric key) to the OSS encrypted SDK. The OSS encrypted SDK then uses the master key to encrypt the randomly generated data key. The OSS encrypted SDK follows these steps to upload the object:

    1. Generates a one-time use symmetric key, which is used as the data key. A data key can only be used to encrypt one object.
    2. Uses the data key to encrypt the object.
    3. Uses the master key to encrypt the data key.
    4. Uploads the encrypted data key together with the object to OSS. The encrypted data key is saved as the metadata of the object in OSS.
  2. Download the object.
    The OSS encrypted SDK first downloads the encrypted object and metadata from OSS, and then determines the master key that is used to decrypt the encrypted data key based on the information in the metadata. After decryption, the OSS encrypted SDK uses the data key to decrypt the object.

Note:

  • The OSS encrypted SDK does not upload your master key and unencrypted data key to OSS. Therefore, make sure that your master key and data key are kept safely.
  • The data key is randomly generated by the OSS encrypted SDK.