When a MaxCompute project contains sensitive information such as personally identifiable information (PII), financial records, or health records, enabling storage encryption protects this data from unauthorized access. MaxCompute integrates with Key Management Service (KMS) to encrypt data before storing it. This provides data-at-rest protection and helps you meet enterprise regulatory and security compliance requirements.
Encryption mechanism
MaxCompute uses keys managed in KMS to encrypt and decrypt data. The storage encryption mechanism works as follows:
MaxCompute applies encryption and decryption at the project level, using KMS to process all data stored within an encrypted project.
KMS generates, manages, and secures the Customer Master Key (CMK).
MaxCompute supports the AES-256, AES-CTR, and RC4 encryption algorithms.
MaxCompute supports data encryption and decryption using either a default key or a Bring-Your-Own-Key (BYOK).
MaxCompute Default Key
MaxCompute automatically creates a key in KMS to use as the CMK. You can view the details of this key in the KMS console.
Bring-Your-Own-Key (BYOK)
To meet specific business and security requirements, you can use your own key that you create and manage in KMS. This approach is called Bring-Your-Own-Key (BYOK).
To use the BYOK option, you must first activate KMS and createKey.
You must also grant the required RAM authorization as prompted in the UI. This grants MaxCompute the necessary permissions to create and use projects with your BYOK.
You can use a custom RAM Access Policy to enforce whether new projects must be encrypted. For more information, see Access policy.
Scope and limitations
To use the Bring-Your-Own-Key (BYOK) option, you must first activate KMS in the same region as your MaxCompute project.
When accessing MaxCompute data from a Hologres external table, Hologres must be version 1.1 or later. You must grant the necessary KMS permissions to Hologres. Additionally, the BYOK option in this scenario only supports KMS keys in the China (Shanghai) region. For details, see Query encrypted MaxCompute data.
Actions on your BYOK in the KMS console, such as disabling or deleting the key, affect MaxCompute's ability to encrypt and decrypt data. Due to caching within the MaxCompute service, changes in KMS may take up to 24 hours to take effect.
You cannot change the storage encryption configuration of a project after its creation. This includes disabling storage encryption or changing the encryption algorithm.
Enabling storage encryption for an existing project does not automatically encrypt existing data. This data remains unencrypted but is still accessible for read and write operations. To encrypt existing data, you must manually read the data and write it back into the project.
Billing
MaxCompute storage encryption is free of charge. However, MaxCompute interacts with KMS APIs during encryption and decryption operations, which incurs costs from the KMS service. For detailed billing information, see Billing of KMS.
Enable storage encryption for a new project
After you enable storage encryption, MaxCompute automatically encrypts and decrypts data during all read and write operations within the project.
Method 1: Enable storage encryption in the MaxCompute console
If KMS is already activated in your target region, you can skip this step.
On the Key Management Service (KMS) activation page, click Activate Now.
Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose .
On the Internal Project tab, click Create Project.
In the Create Project dialog box, configure the project parameters and click OK.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key to use for the project. Options include the default key created by MaxCompute and a key that you manage.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Method 2: Enable storage encryption in DataWorks
If KMS is already activated in your target region, you can skip this step.
On the Key Management Service (KMS) activation page, click Activate Now.
Log on to the DataWorks console and select a region in the upper-left corner.
In the left navigation pane, click Workspace.
On the Workspaces page, click Create Workspace.
For more information, see Create a workspace.
Associate a MaxCompute compute resource.
After the workspace is created, on the Workspaces page, find the target workspace and click Manage in the Actions column.
On the Workspace Details page, click Computing Resource in the left navigation pane.
On the Computing Resource page, click Associate Compute Resource, and select MaxCompute.
Configure the Basic Information for Associate MaxCompute Compute Resource.
For MaxCompute Project, click Create.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key to use for the project. Options include the default key created by MaxCompute and a key that you manage.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Enable storage encryption for an existing project
You can enable storage encryption only for projects that do not already have it enabled. For projects that already have storage encryption enabled, you cannot disable it or change the encryption algorithm.
Configure permissions
To enable storage encryption, you must modify the Basic Properties of a MaxCompute project. This action is authenticated by RAM and requires the
Super_Administratorrole for the project.To configure other project properties, such as permissions and the IP Address Whitelist, you need administrative privileges for the project. This includes roles such as
Super_Administrator,Admin, or a custom administrative role.For more information, see Permissions on project management and Use RAM for access control.
Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose .
On the Projects page, find the target project and click Manage in its Actions column.
On the Project Settings page, click the Parameter Configuration tab.
In the Basic Properties section, click Edit.
Set Storage Encryption to Yes, and then select a Key and the corresponding Algorithm.
Key: The type of key to use for the project. Options include the default key created by MaxCompute and a key that you manage.
To use the default key, select MaxCompute Default Key.
To use a BYOK, select CMK.
Algorithm: The encryption algorithm for the key. Supported algorithms are AES256, AESCTR, and RC4.
Click Submit to enable storage encryption for the existing project.
Related documentation
To control data access at the project or table level, you can use ACL-based and role-based authorization. For more information, see ACL-based access control.
If users have permission to query sensitive data but should not see the complete, raw information, you can apply Dynamic Data Masking to the query results. For more information, see Dynamic data masking.
If you only need to encrypt specific columns within a table, you can use the built-in Encryption Functions. For more information, see Encryption functions.