If a MaxCompute project contains sensitive information, such as personal identity information, financial records, or health records, you can enable data storage encryption to protect this data from unauthorized access. MaxCompute uses Key Management Service (KMS) to encrypt stored data. This feature provides data-at-rest protection to meet enterprise regulatory and security compliance requirements.
Storage encryption mechanism
MaxCompute uses keys hosted in KMS to encrypt or decrypt data. The data storage encryption mechanism is as follows:
MaxCompute uses KMS to encrypt or decrypt data on a per-project basis.
KMS generates and manages customer master keys (CMKs) and ensures key security.
MaxCompute supports the AES256, AESCTR, and RC4 encryption algorithms.
MaxCompute supports data encryption and decryption using a default key or a Bring-Your-Own-Key (BYOK).
Default key (MaxCompute Default Key)
MaxCompute automatically creates a key in KMS to use as the CMK. You can view the details of this key in the KMS console.
To meet various business and security requirements, MaxCompute also supports data encryption and decryption using a BYOK.
To use a BYOK to encrypt or decrypt data, you must manually activate KMS and create a key. For more information, see CreateKey.
Follow the on-screen instructions to complete Resource Access Management (RAM) authorization. This grants MaxCompute the necessary permissions to create a project that uses the BYOK.
You can use custom RAM policies to control whether new projects are encrypted. For more information about the policy content, see Access policy.
Limitations
If you use a BYOK to encrypt or decrypt data, you must activate KMS in the region where the MaxCompute project resides.
When a Hologres foreign table accesses MaxCompute, Hologres V1.1 or later is required. You must also grant KMS permissions to Hologres. BYOK is supported only in the China (Shanghai) region. For more information, see Query encrypted MaxCompute data.
Operations on your BYOK in KMS, such as disabling or deleting the key, affect data encryption and decryption in MaxCompute. Because MaxCompute uses caching, changes made in KMS can take up to 24 hours to take effect.
You cannot change the storage encryption settings for an existing project. For example, you cannot disable storage encryption or change the encryption algorithm.
If you enable storage encryption for an existing project, the historical data in the project is not automatically encrypted. This does not affect normal read and write operations. To encrypt the historical data, you must manually read the data and then write it back to the project.
Billing
The data storage encryption feature of MaxCompute is free of charge. However, this feature interacts with KMS APIs, and KMS charges for its services. For more information about billing, see Billing of KMS.
Enable storage encryption for a new project
After you enable data storage encryption, MaxCompute automatically handles encryption and decryption during data read and write operations.
Method 1: Enable data storage encryption in the MaxCompute console
If KMS is already activated in your region, skip this step.
On the Key Management Service (KMS) activation page, click Activate Now.
Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose .
On the Internal Project tab, click Create Project.
In the Create Project dialog box, configure the project parameters and click OK.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key used by the project, which includes the default key created by MaxCompute (MaxCompute Default Key) and Bring-Your-Own-Key (BYOK).
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Method 2: Enable data storage encryption in DataWorks
If KMS is already activated in your region, skip this step.
On the Key Management Service (KMS) activation page, click Activate Now.
Log on to the DataWorks console and select a region in the upper-left corner.
In the navigation pane on the left, click Workspace.
On the Workspaces page, click Create Workspace.
For more information, see Create a workspace.
Associate a MaxCompute compute resource.
After the workspace is created, on the Workspaces page, find the target workspace and click Manage in the Actions column.
On the Workspace Details page, click Computing Resource in the navigation pane on the left.
On the Computing Resource page, click Associate Compute Resource, and select MaxCompute.
Configure the Associate MaxCompute Compute Resource Basic Information.
For MaxCompute Project, click Create.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key used by the project, which includes the default key created by MaxCompute (MaxCompute Default Key) and Bring-Your-Own-Key (BYOK).
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Enable storage encryption for an existing project
You can enable storage encryption only for projects that do not already have it enabled. If a project has storage encryption enabled, you cannot disable it or change the encryption algorithm.
Configure permissions
To enable storage encryption, you must modify the parameters in the Basic Properties section of the MaxCompute project. This operation requires RAM authentication, and you must have the Super_Administrator role for the project.
To configure the permission properties and IP address whitelist for a MaxCompute project, you must have management permissions for the project. This includes roles such as Super_Administrator, Admin, or a custom administrator role.
For more information, see Permissions on project management and Use RAM for access control.
Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose .
On the Projects page, find the target project and click Manage in its Actions column.
On the Project Settings page, click the Parameter Configuration tab.
In the Basic Properties section, click Edit.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key used by the project, which includes the default key created by MaxCompute (MaxCompute Default Key) and Bring-Your-Own-Key (BYOK).
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Click Submit to enable storage encryption for the existing project.
Related documents
You can also use access control lists (ACLs) and role-based access control to grant permissions at the project and table levels. This ensures that only authorized users can access data. For more information, see ACL-based access control.
If a project user has permission to query sensitive data but you do not want them to view the complete sensitive information, you can dynamically mask the data in query results. For more information, see Dynamic data masking.
To encrypt only specific data within a table, you can use the encryption functions that MaxCompute provides. For more information, see Encryption functions.