Object Storage Service (OSS) supports server-side encryption (SSE). When you upload data, OSS encrypts the data before storing it. When you download data, OSS automatically decrypts the stored data and returns the raw data. The HTTP response header indicates that the data was encrypted on the server.
Notes
Before you configure server-side encryption, ensure that you understand this feature. For more information, see Server-side encryption.
In this topic, the public endpoint of the China (Hangzhou) region is used. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For details about supported regions and endpoints, see Regions and endpoints.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.
To configure bucket encryption, you must have the
oss:PutBucketEncryptionpermission. To retrieve the bucket encryption configuration, you must have theoss:GetBucketEncryptionpermission. To delete the bucket encryption configuration, you must have theoss:DeleteBucketEncryptionpermission. For more information, see Grant custom access policies to a RAM user.
Configure bucket encryption
After you set a default encryption method for a bucket, all objects that are uploaded to the bucket are encrypted using this method if no encryption method is specified during the upload.
The following code shows how to set the default encryption method for a bucket:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;
// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Set the default server-side encryption method of the bucket to SSE-OSS.
$config = new ServerSideEncryptionConfig("AES256");
$ossClient->putBucketEncryption($bucket, $config);
// Set the default server-side encryption method of the bucket to KMS without specifying a CMK ID.
$config = new ServerSideEncryptionConfig("KMS");
$ossClient->putBucketEncryption($bucket, $config);
// Set the default server-side encryption method of the bucket to KMS and specify a CMK ID.
$config = new ServerSideEncryptionConfig("KMS", "your kms id");
$ossClient->putBucketEncryption($bucket, $config);
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n"); For more information, see PutBucketEncryption.
Get the bucket encryption configuration
The following code shows how to retrieve the bucket encryption configuration:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;
// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Get the bucket encryption configuration.
$config = $ossClient->getBucketEncryption($bucket);
// Print the bucket encryption configuration.
print($config->getSSEAlgorithm());
print($config->getKMSMasterKeyID());
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n"); For more information, see GetBucketEncryption.
Delete the bucket encryption configuration
The following code shows how to delete the bucket encryption configuration:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Delete the bucket encryption configuration.
$ossClient->deleteBucketEncryption($bucket);
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n"); For more information, see DeleteBucketEncryption.