All Products
Search

This Product

    Object Storage Service:Server-side encryption (C++ SDK)

    Document Center

    Object Storage Service:Server-side encryption (C++ SDK)

    Last Updated:Mar 20, 2026

    OSS encrypts objects at rest using server-side encryption (SSE). When you upload an object, OSS encrypts and stores it. When you download it, OSS decrypts it transparently and returns the data with a response header confirming that SSE was applied.

    This topic shows how to configure, retrieve, and delete the default SSE configuration for a bucket using the C++ SDK.

    Prerequisites

    Before you begin, ensure that you have:

    • Read Server-side encryption to understand the supported encryption methods (SSE-OSS, SSE-KMS, and SSE-C) and when to use each

    • An OSSClient instance. See Create an OSSClient instance if you need to create one using a custom domain or Security Token Service (STS)

    • The required RAM permissions for the operations you plan to perform: To attach these permissions to a RAM user, see Attach a custom policy to a RAM user.

      OperationRequired permission
      Set bucket encryptionoss:PutBucketEncryption
      Get bucket encryption configurationoss:GetBucketEncryption
      Delete bucket encryption configurationoss:DeleteBucketEncryption

    Usage notes

    • The examples in this topic use the public endpoint for the China (Hangzhou) region. If you access OSS from another Alibaba Cloud service in the same region, use an internal endpoint instead. For region-specific endpoints, see Regions and endpoints.

    • All examples use EnvironmentVariableCredentialsProvider to load credentials from the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables. Set these variables before running the code.

    Set bucket encryption

    The following code sets the default encryption method for a bucket to SSE-KMS. After this configuration is applied, all objects uploaded to the bucket without an explicit encryption method are encrypted using SSE-KMS.

    #include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    // Replace with your bucket's endpoint and region.
    // Example: https://oss-cn-hangzhou.aliyuncs.com and cn-hangzhou
    std::string Endpoint = "yourEndpoint";
    std::string Region = "yourRegion";
    // Replace with your bucket name. Example: examplebucket
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    // Load credentials from environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET.
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    SetBucketEncryptionRequest setrequest(BucketName);
    // Set the encryption algorithm to SSE-KMS.
    setrequest.setSSEAlgorithm(SSEAlgorithm::KMS);
    auto outcome = client.SetBucketEncryption(setrequest);

    if (!outcome.isSuccess()) {
        std::cout << "SetBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

    Get the bucket encryption configuration

    The following code retrieves the SSE configuration currently applied to a bucket.

    #include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    std::string Endpoint = "yourEndpoint";
    std::string Region = "yourRegion";
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    GetBucketEncryptionRequest request(BucketName);
    auto outcome = client.GetBucketEncryption(request);

    if (!outcome.isSuccess()) {
        std::cout << "GetBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

    Delete the bucket encryption configuration

    The following code removes the SSE configuration from a bucket.

    #include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    std::string Endpoint = "yourEndpoint";
    std::string Region = "yourRegion";
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    DeleteBucketEncryptionRequest request(BucketName);
    auto outcome = client.DeleteBucketEncryption(request);

    if (!outcome.isSuccess()) {
        std::cout << "DeleteBucketEncryption fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

    References