Storage encryption
MaxCompute encrypts data at rest using Key Management Service (KMS), protecting sensitive data such as PII, financial records, and health records from unauthorized access and helping you meet compliance requirements.
How it works
MaxCompute uses KMS-managed keys to encrypt and decrypt data:
Encryption and decryption operate at the project level.
KMS generates, manages, and secures the customer master key (CMK).
MaxCompute supports the AES256, AESCTR, and RC4 encryption algorithms.
MaxCompute supports two key types: the MaxCompute Default Key and bring-your-own-key (BYOK).
MaxCompute Default Key
MaxCompute automatically creates a key in KMS to use as the CMK. You can view the details of this key in the KMS console.
To meet specific business and security requirements, you can use a BYOK to encrypt and decrypt data.
To use a BYOK, manually activate KMS and call CreateKey to create a key.
Follow the on-screen instructions to complete RAM authorization, allowing MaxCompute to create a project that uses your BYOK.
Use a custom RAM Access policy to enforce encryption requirements for new projects.
Usage notes
To use a BYOK, activate KMS in the same region as your MaxCompute project.
To access MaxCompute data from a Hologres external table:
Hologres must be V1.1 or later with KMS permissions granted. For regions in the China mainland, BYOK supports only KMS in the China (Shanghai) region. For the China (Hong Kong) region and regions outside the China mainland, KMS in the corresponding region is supported. For more information, see Query encrypted MaxCompute data.
Starting from Hologres V3.2, you can use the Common Table access path to query encrypted MaxCompute data. This mode requires no additional policy configuration and supports projects encrypted with either the Default Key or a KMS key. For more information, see Common Table.
Actions on your BYOK in KMS, such as disabling or deleting the key, affect MaxCompute encryption and decryption. Due to service caching, KMS changes take effect within 24 hours.
You cannot change storage encryption settings after a project is created, including disabling encryption or changing the algorithm.
Enabling storage encryption for an existing project does not automatically encrypt existing data or affect read/write operations. To encrypt existing data, manually read and rewrite it.
Billing
Storage encryption is free. However, KMS API calls during encryption and decryption incur charges from KMS. KMS billing.
Enable storage encryption for a new project
With storage encryption enabled, MaxCompute automatically encrypts and decrypts data for all read and write operations in the project.
Method 1: Enable in the MaxCompute console
If KMS is already activated in your target region, you can skip this step.
On the Key Management Service activation page, click Activate Now.
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Internal Project tab, click Create Project.
In the Create Project dialog box, configure the settings and click OK.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The key type. Options: MaxCompute Default Key or BYOK.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm. Supported: AES256, AESCTR, and RC4.
Method 2: Enable in DataWorks
If KMS is already activated in your target region, you can skip this step.
On the Key Management Service activation page, click Activate Now.
Log in to the DataWorks console and select a region in the upper-left corner.
In the navigation pane on the left, choose Workspace.
On the Workspaces page, click Create Workspace.
Associate a MaxCompute compute resource.
After the workspace is created, go to the Workspaces page, find the target workspace, and click Manage in the Actions column.
On the Workspace Details page, click Computing Resource in the navigation pane on the left.
On the Computing Resource page, click Associate Computing Resources, and select MaxCompute.
Configure the Basic Information for Associate MaxCompute Computing Resource.
For MaxCompute Project, click Create.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The key type. Options: MaxCompute Default Key or BYOK.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm. Supported: AES256, AESCTR, and RC4.
Enable storage encryption for an existing project
You can enable storage encryption only for unencrypted projects. Once enabled, you cannot disable encryption or change the algorithm.
Configure permissions
Enabling storage encryption requires modifying the project's Basic Properties, which requires RAM authentication and the Super_Administrator role.
Configuring other project parameters (permissions, IP address whitelist) requires administrative roles such as Super_Administrator, Admin, or a custom role.
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Projects page, click Manage in the Actions column for the target project.
On the Project Settings page, click the Parameter Configuration tab.
In the Basic Properties section, click Edit.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The key type. Options: MaxCompute Default Key or BYOK.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm. Supported: AES256, AESCTR, and RC4.
Click Submit to enable storage encryption for the existing project.
References
Use ACL-based and role-based authorization at the project and table levels to restrict data access. ACL-based access control.
To hide raw sensitive data from authorized query users, apply dynamic data masking to query results.
To encrypt specific data within a table, use MaxCompute Encryption functions.