All Products
Search
Document Center

Object Storage Service:Server-side encryption

Last Updated:Oct 12, 2023

Object Storage Service (OSS) supports server-side encryption for uploaded data. When you upload data to OSS, OSS encrypts the uploaded data and then persistently stores the encrypted data. When you download the encrypted data, OSS automatically decrypts the data, returns the original data to you, and declares in the header of the response that the data had been encrypted on the server.

Usage notes

  • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS by using other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about the regions and endpoints supported by OSS, see Regions and endpoints.

  • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.

  • To enable encryption for a bucket, you must have the oss:PutBucketEncryption permission. To query the encryption configurations of a bucket, you must have the oss:GetBucketEncryption permission. To delete the encryption configurations of a bucket, you must have the oss:DeleteBucketEncryption permission. For more information, see Attach a custom policy to a RAM user.

Encryption methods

OSS provides the following server-side encryption methods:

  • Server-side encryption by using KMS-managed keys (SSE-KMS)

    When you upload an object, you can use a specified CMK ID or the default CMK managed by Key Management Service (KMS) to encrypt the object. This method is cost-effective because you do not need to send data to the KMS server for encryption and decryption.

    You are charged for calling API operations when you use CMKs to encrypt or decrypt data. For more information about the fees, see Billing of KMS.

  • Server-side encryption that uses OSS-managed keys (SSE-OSS)

    When you upload an object, OSS encrypts the object on the server side by using AES-256 keys managed by OSS. OSS server-side encryption uses AES-256 to encrypt objects by using different data keys. AES-256 uses master keys that are regularly rotated to encrypt data keys.

Note
  • An object can be encrypted by only one server-side encryption method at a time.

  • If you configure server-side encryption for a bucket, you can still configure the encryption method for a single object when you upload or copy the object. In this case, the encryption method configured for the object takes precedence. For more information, see PutObject.

For more information about server-side encryption, see Server-side encryption.

Configure server-side encryption for a bucket

The following sample code provides an example on how to configure a default encryption method for a bucket. After the method is configured, all objects that are uploaded to the bucket are encrypted by using the default encryption method if no encryption method is configured for the objects.

The following sample code provides an example on how to configure a default encryption method for a bucket:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;

// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.  
$accessKeyId = getenv("OSS_ACCESS_KEY_ID"); 
$accessKeySecret = getenv("OSS_ACCESS_KEY_SECRET");
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false);

try {
    // Set the default server-side encryption method of the bucket to SSE-OSS. 
    $config = new ServerSideEncryptionConfig("AES256");
    $ossClient->putBucketEncryption($bucket, $config);

    // Set the default server-side encryption method of the bucket to KMS without specifying a CMK ID. 
    $config = new ServerSideEncryptionConfig("KMS");
    $ossClient->putBucketEncryption($bucket, $config);

    // Set the default server-side encryption method of the bucket to KMS and specify a CMK ID. 
    $config = new ServerSideEncryptionConfig("KMS", "your kms id");
    $ossClient->putBucketEncryption($bucket, $config);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n"); 

For more information about how to configure server-side encryption, see PutBucketEncryption.

Query the server-side encryption configurations of a bucket

The following sample code provides an example on how to query the server-side encryption configurations of a bucket:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;

// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.  
$accessKeyId = getenv("OSS_ACCESS_KEY_ID"); 
$accessKeySecret = getenv("OSS_ACCESS_KEY_SECRET");
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false);

try {
    // Query the server-side encryption configurations of the bucket. 
    $config = $ossClient->getBucketEncryption($bucket);

    // Display the server-side encryption configurations of the bucket. 
    print($config->getSSEAlgorithm());
    print($config->getKMSMasterKeyID());
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");   

For more information about how to query the server-side encryption configurations of a bucket, see GetBucketEncryption.

Delete the server-side encryption configurations of a bucket

The following sample code provides an example on how to delete the server-side encryption configurations of a bucket:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;

// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.  
$accessKeyId = getenv("OSS_ACCESS_KEY_ID"); 
$accessKeySecret = getenv("OSS_ACCESS_KEY_SECRET");
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";

$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false);

try {
    // Delete the server-side encryption configurations of the bucket. 
    $ossClient->deleteBucketEncryption($bucket);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");   

For more information about how to delete the server-side encryption configurations of a bucket, see DeleteBucketEncryption.