Object Storage Service (OSS) provides server-side encryption, client-side encryption, and encrypted transmission based on SSL or Transport Layer Security (TLS) to protect data from potential security risks on the cloud.

Server-side encryption

OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the decrypted data. In addition, a header is added to the response to declare that the data is encrypted on the server.

OSS uses server-side encryption to protect static data. You can use this method in scenarios in which additional security or compliance is required, such as the storage of deep learning samples and online collaborative documents. You can choose one of the following methods to implement server-side encryption depending on the mechanism you choose to manage the encryption keys:
  • Server-side encryption that uses customer master keys (CMKs) stored in Key Management Service (KMS) (SSE-KMS)

    When you upload an object, you can use a specified CMK ID or the default CMK stored in KMS to encrypt and decrypt the object. This method is applicable to large amounts of data encryption and decryption. This method is cost-effective because you do not need to send data to the KMS server for encryption and decryption.

    KMS is a secure and easy-to-use management service provided by Alibaba Cloud. KMS ensures the privacy, integrity, and availability of your keys at minimal cost. Therefore, you can focus on the development of encryption and decryption functions that best suit your needs. You can view and manage keys in the KMS console.

    KMS encrypts data based on AES-256 and stores and manages CMKs that are used to encrypt data keys. KMS also generates data keys that can be used to encrypt and decrypt data. In addition, envelope encryption provided by KMS can protect your data and corresponding data keys from unauthorized access. You can use the default CMK stored in KMS or generate a CMK by using your BYOK materials or BYOK materials provided by Alibaba Cloud.

    The following figure shows the logic of SSE-KMS. Encryption 1
  • Server-side encryption that uses OSS-managed keys (SSE-OSS)

    This encryption method is an attribute of objects. OSS server-side encryption uses AES-256 to encrypt objects with different data keys. CMKs used to encrypt data keys are rotated regularly to ensure greater security. This method is suitable for multiple objects encryption and decryption at a time.

    In this method, data keys are generated and managed by OSS. To perform server-side encryption on an object, you can set the default server-side encryption method of the bucket that contains the object to AES-256. You can also include the x-oss-server-side-encryption field in the request that is sent to upload an object or modify the metadata of an object and set the field value to AES256.

For more information, see Server-side encryption in OSS Developer Guide.

Client-side encryption

Client-side encryption is performed to encrypt objects on the local client before the objects are uploaded to OSS. When you use client-side encryption, you are responsible for the integrity and validity of the CMKs. When you copy or migrate encrypted data, you are responsible for the integrity and validity of the object metadata related to client-side encryption.

In client-side encryption, a random data key is generated for each object to perform symmetric encryption on the object. The client uses a CMK to generate a data key in random. The encrypted data key is saved as a part of the object metadata and stored in the OSS server. When an encrypted object is downloaded, the client uses the CMK to decrypt the random data key and then uses the data key to decrypt the object. The CMK is used only on the client and is not transmitted over the network or stored in the server, which ensures data security.

You can manage CMKs in one of the following ways:
  • Use KMS-managed CMKs
    If you use KMS-managed CMKs for client-side encryption, you need only to specify the CMK ID when you upload objects without the need to provide the client with a data key. The following figure shows the logic of KMS-managed CMKs for client-side encryption. Encryption 2
  • Use customer-managed CMKs
    To use this method for client-side encryption, you must generate and manage CMKs by yourself. When you implement client-side encryption on an object to upload, you must upload a symmetric or asymmetric CMK to the client. The following figure shows the logic of customer-managed CMKs for client-side encryption. key3

For more information, see Client-side encryption in OSS Developer Guide.

Encrypted transmission based on the SSL or TLS protocol

OSS supports access over HTTP and HTTPS. You can configure a bucket policy to allow only access over HTTPS (TLS) for better security in data transmission. TLS is a cryptographic protocol that provides data security and data integrity between communications apps over networks. For more information, see Configure bucket policies to authorize other users to access OSS resources.