Object Storage Service (OSS) supports server-side encryption. When you upload objects, OSS encrypts and stores the data. When you download objects, OSS decrypts the data and returns the decrypted data. The returned HTTP request header indicates that the data is encrypted on the server side.

Notice Server-side encryption cannot automatically encrypt data retrieved by using mirroring-based back-to-origin.

Encryption methods

OSS protects static data by using server-side encryption. You can use this method in scenarios in which additional security or compliance is required, such as the storage of deep learning samples and online collaborative documents.

Only one server-side encryption method can be used for an object at a time. OSS provides the following server-side encryption methods that you can use in different scenarios:
  • Server-side encryption by using Key Management Service (SSE-KMS)
    You can use the default customer master key (CMK) or specify a CMK to encrypt or decrypt large amounts of data. This method is cost-effective because you do not need to send user data to the KMS server over networks to encrypt and decrypt data.
    Notice
    • You are charged when you call API operations to encrypt or decrypt data by using CMKs. For more information about the fees, see Billing.
    • The key used to encrypt the object is also encrypted and written into the metadata of the object.
    • Server-side encryption that uses the default CMK (SSE-KMS) only encrypts the data in the object. The metadata of the object is not encrypted.
  • Server-side encryption by using OSS-managed keys (SSE-OSS)

    You can use SSE-OSS to encrypt each object. To improve security, OSS uses master keys that are rotated on a regular basis to encrypt data keys. You can use this method to encrypt and decrypt multiple objects at a time.

Implementation methods

Implementation method Description
Console A user-friendly and intuitive web application
ossutil A high-performance command-line tool
Java SDK SDK demos for a variety of programming languages
Python SDK
Go SDK

Server-side encryption by using CMKs stored in KMS

You can use a CMK stored in KMS to generate CMK encrypted data. The envelope encryption mechanism further prevents unauthorized data access. KMS eliminates the need to manually maintain the security, integrity, and availability of your keys. You need only to focus on data encryption, data decryption, and digital signature generation and verification based on your business requirements.

The following figure shows the logic of server-side encryption based on SSE-KMS. Encryption 1
When you use SSE-KMS to encrypt data, you can use the following keys:
  • Use CMKs stored in KMS

    For this method, OSS generates different keys to encrypt different objects by using the default CMK stored in KMS, and automatically decrypts an object when the object is downloaded. The first time you use SSE-OSS, OSS creates a CMK on the KMS platform.

    You can use the following configuration methods:

    • Configure the default server-side encryption method for a bucket

      Set the default server-side encryption method for a bucket to KMS, but do not specify a CMK ID. Objects uploaded to this bucket are encrypted.

    • Configure an encryption method for a specified object

      When you upload an object or modify the metadata of an object, include the x-oss-server-side-encryption parameter in the request and set the parameter value to KMS. In this case, OSS uses the default CMK stored in KMS and uses the AES-256 encryption algorithm to encrypt the object. For more information, see PutObject.

  • Use Bring Your Own Key (BYOK)

    After you use the BYOK material in the KMS console to generate a CMK, the keys generated by a specified CMK stored in KMS are used to encrypt different objects and the specified CMK ID is recorded in the metadata of the encrypted object. Objects are decrypted only when they are downloaded by users who have the permissions to decrypt the objects.

    You may obtain your BYOK material from one of the following sources:
    • BYOK material provided by Alibaba Cloud: When you create a key on KMS, you can select Alibaba Cloud KMS as the source of the key material.
    • BYOK material provided by the user: When you create a key on KMS, you can select external as the source of the key material and import the external key material. For more information about how to import the key material, see Import key material.
    You can use the following configuration methods:
    • Configure the default server-side encryption method for a bucket

      Set the default server-side encryption method to SSE-KMS, and specify the CMK ID. Objects uploaded to this bucket are encrypted.

    • Configure an encryption method for the requested object

      When you upload an object or modify the metadata of an object, include the x-oss-server-side-encryption parameter in the request and set the value of the parameter to KMS. In addition, include the x-oss-server-side-encryption-key-id parameter in the request and set the parameter value to a specified CMK ID. In this case, OSS uses the specified CMK stored in KMS and the AES-256 encryption algorithm to encrypt the object. For more information, see PutObject.

Server-side encryption and decryption by using OSS-managed keys

OSS generates and manages the keys used to encrypt data, and provides strong and multi-factor security measures to protect data. OSS server-side encryption uses AES-256, which is one of the advanced encryption standard algorithms to encrypt your data.

You can use the following configuration methods:

  • Configure the default server-side encryption method for a bucket

    Set the default encryption method to SSE-OSS and specify the encryption algorithm as AES-256. This way, all objects uploaded to this bucket are encrypted by default.

  • Configure an encryption method for the requested object

    When you upload an object or modify the metadata of an object, include the x-oss-server-side-encryption parameter in the request and set the parameter value to AES256. In this case, the requested object is encrypted by using an OSS-managed key. For more information, see PutObject.

Required permissions

To use server-side encryption by using the credentials of a Resource Access Management (RAM) user in the following scenarios, you must have the following permissions.
  • To configure the default encryption method for a bucket, you must have the following permissions:
    • The permissions to manage the bucket.
    • The permissions to call PutBucketEncryption and GetBucketEncryption operations.
    • The permissions to call the ListKeys, Listalias, ListAliasesByKeyId, and DescribeKeys operations when you set the encryption method to SSE-KMS and use a specified CMK ID to encrypt data. To grant a RAM user the preceding permissions, configure a RAM policy based on the following example in the RAM console:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey"    
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. If you want only one CMK to be used by the RAM user, specify the CMK ID of the CMK. 
            ]
          }
        ]
      }
  • To upload an object to a bucket that has the default encryption method configured, you must have the following permissions:
    • The permissions to upload objects to the bucket.
    • The permissions to call the ListKeys, Listalias, ListAliasesByKeyId, DescribeKeys, GenerateDataKey, and kms:Decrypt operations when you set the encryption method to KMS and use a specified CMK ID to encrypt data. To grant a RAM user the preceding permissions, configure a RAM policy based on the following example in the RAM console:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*",
              "kms:DescribeKey",
              "kms:GenerateDataKey",
              "kms:Decrypt"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the user is allowed to use all CMKs that belong to the account. If you want only one CMK to be used by the RAM user, specify the CMK ID of the CMK. 
            ]
          }
        ]
      }
  • To download an object from a bucket that has the default encryption method configured, you must have the following permissions:
    • The permissions to access objects in the bucket.
    • The permissions to call the Decrypt operation when you set the encryption method to KMS and use a specified CMK ID to encrypt data. To grant a RAM user the preceding permissions, configure a RAM policy based on the following example in the RAM console:
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
          "kms:Decrypt"
            ],
            "Resource": [
              "acs:kms:*:1416614965936597:*" // In this example, the RAM user has the permissions to use all CMKs to decrypt data. If you want only one CMK to be used by the RAM user, specify the CMK ID. 
            ]
          }
        ]
      }

FAQ

Does OSS encrypt existing objects in a bucket after I configure server-side encryption for the bucket?

No, OSS encrypts only objects that are uploaded after server-side encryption is configured for the bucket and does not encrypt existing objects in the bucket. If you want to encrypt existing objects in a bucket, you can call the CopyObject operation to overwrite the existing objects.