How to implement server-side encryption by using PHP SDK V1 - Object Storage Service

Object Storage Service (OSS) supports server-side encryption (SSE). When you upload an object, OSS encrypts it before writing it to disk. When you download the object, OSS decrypts it automatically and returns the original data. The HTTP response header indicates that the object was encrypted on the server.

Choose an encryption method

OSS provides two SSE methods, with SSE-KMS offering an optional customer master key (CMK) configuration. Choose based on who manages the encryption keys:

Method	Key management	When to use
SSE-OSS	OSS manages the keys	Default choice — no additional setup required
SSE-KMS (no CMK)	Key Management Service (KMS) manages keys automatically	Need audit trails or cross-service key access
SSE-KMS (with CMK)	You create and control the CMK in KMS	Need full control over key lifecycle and rotation

For more information about these methods, see Server-side encryption.

Prerequisites

Before you begin, ensure that you have:

An OSSClient instance. For setup instructions, see Create an OSSClient instance.
The OSS PHP SDK (V1) installed
The OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables set with valid credentials

Usage notes

The examples in this topic use the public endpoint for the China (Hangzhou) region (https://oss-cn-hangzhou.aliyuncs.com). To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For supported regions and endpoints, see Regions and endpoints.
If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.
To grant a RAM user the permissions needed for these operations, see Grant custom access policies to a RAM user.

Set bucket encryption

Setting a default encryption method on a bucket ensures that all objects uploaded without an explicit encryption setting are automatically encrypted using that method.

Important

The default encryption method applies only when no encryption method is specified at upload time. Objects uploaded with an explicit method use that method instead.

Required permission: oss:PutBucketEncryption

The following examples show how to set the default encryption method:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

try {
    // Set the default server-side encryption method of the bucket to SSE-OSS.
    $config = new ServerSideEncryptionConfig("AES256");
    $ossClient->putBucketEncryption($bucket, $config);

    // Set the default server-side encryption method of the bucket to KMS without specifying a CMK ID.
    $config = new ServerSideEncryptionConfig("KMS");
    $ossClient->putBucketEncryption($bucket, $config);

    // Set the default server-side encryption method of the bucket to KMS and specify a CMK ID.
    $config = new ServerSideEncryptionConfig("KMS", "your kms id");
    $ossClient->putBucketEncryption($bucket, $config);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");

For the full API reference, see PutBucketEncryption.

Get the bucket encryption configuration

Required permission: oss:GetBucketEncryption

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

try {
    // Get the bucket encryption configuration.
    $config = $ossClient->getBucketEncryption($bucket);

    // Print the bucket encryption configuration.
    print($config->getSSEAlgorithm());
    print($config->getKMSMasterKeyID());
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");

The ServerSideEncryptionConfig object returned by getBucketEncryption exposes two fields:

Method	Return type	Possible values
`getSSEAlgorithm()`	String	`AES256` (SSE-OSS) or `KMS` (SSE-KMS)
`getKMSMasterKeyID()`	String	The CMK ID you specified, or empty if no CMK was set

For the full API reference, see GetBucketEncryption.

Delete the bucket encryption configuration

Deleting the bucket encryption configuration removes the default encryption method. Objects uploaded after deletion are not encrypted unless an encryption method is specified at upload time.

Required permission: oss:DeleteBucketEncryption

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
$provider = new EnvironmentVariableCredentialsProvider();
// The endpoint is set to China (Hangzhou) in this example. Specify the actual endpoint for other regions.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

try {
    // Delete the bucket encryption configuration.
    $ossClient->deleteBucketEncryption($bucket);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");

For the full API reference, see DeleteBucketEncryption.