Server-side encryption (Node.js SDK) - Object Storage Service

Object Storage Service (OSS) encrypts objects at rest on the server. When you upload an object, OSS encrypts and persistently stores it. When you download it, OSS decrypts it transparently and returns the original data. The HTTP response includes a header confirming server-side encryption.

All three operations—configure, query, and delete bucket encryption—share the same client initialization pattern. Each code sample below is self-contained and runnable.

Prerequisites

Before you begin, make sure you have:

An OSS bucket
The OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables set with valid access credentials
The ali-oss npm package installed

Configure bucket encryption

Set a default encryption method for a bucket. After configuration, OSS automatically encrypts every object uploaded to the bucket that does not specify its own encryption method.

const OSS = require("ali-oss");

const client = new OSS({
  // Region where your bucket is located, e.g. oss-cn-hangzhou
  region: "<your-region>",
  // Read access credentials from environment variables
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: "<your-bucket-name>",
});

async function putBucketEncryption() {
  try {
    const result = await client.putBucketEncryption("<your-bucket-name>", {
      SSEAlgorithm: "AES256",    // "AES256" | "KMS"
      // KMSMasterKeyID: "<your-kms-key-id>",
      // Required only when SSEAlgorithm is "KMS" and you use a specific key.
      // Otherwise, this parameter must be empty.
    });
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

putBucketEncryption();

Replace these placeholders before running:

Placeholder	Description	Example
`<your-region>`	Region ID of the bucket	`oss-cn-hangzhou`
`<your-bucket-name>`	Name of your bucket	`my-bucket`
`<your-kms-key-id>`	KMS key ID (KMS encryption only)	`1234abcd-12ab-34cd-56ef-1234567890ab`

Get bucket encryption configuration

Query the current encryption configuration of a bucket.

const OSS = require("ali-oss");

const client = new OSS({
  region: "<your-region>",
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: "<your-bucket-name>",
});

async function getBucketEncryption() {
  try {
    const result = await client.getBucketEncryption("<your-bucket-name>");
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

getBucketEncryption();

Delete bucket encryption configuration

Remove the default encryption configuration from a bucket.

const OSS = require("ali-oss");

const client = new OSS({
  region: "<your-region>",
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  bucket: "<your-bucket-name>",
});

async function deleteBucketEncryption() {
  try {
    const result = await client.deleteBucketEncryption("<your-bucket-name>");
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

deleteBucketEncryption();

What's next

GitHub examples — complete server-side encryption sample code
PutBucketEncryption — API reference for configuring bucket encryption
GetBucketEncryption — API reference for querying bucket encryption
DeleteBucketEncryption — API reference for deleting bucket encryption