All Products
Document Center

Object Storage Service:Data encryption

Last Updated:Jun 28, 2024

Object Storage Service (OSS) provides server-side encryption and client-side encryption, and supports encryption in transit using HTTPS over SSL or Transport Layer Security (TLS) to protect data in the cloud from potential security risks.

Server-side encryption

OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts the data and stores the encrypted data. When you download data, OSS decrypts the data and returns the decrypted data. In addition, a header is added to the response to declare that the data is encrypted on the server.

OSS uses server-side encryption to protect data at rest. You can enable this feature in scenarios in which additional security or compliance is required, such as the storage of deep learning samples and online collaborative documents. You can choose one of the following methods to implement server-side encryption:

  • Server-side encryption using KMS-managed keys (SSE-KMS)

    When you upload an object, you need to select the default customer master key (CMK) managed by Key Management Service (KMS) or specify a CMK to encrypt and decrypt data. This method is especially helpful in scenarios where lots of data encryption and decryption operations are involved. Server-side encryption by using SSE-KMS is cost-effective because you do not need to send data to the KMS server for encryption and decryption.

    KMS is a secure and easy-to-use key management service provided by Alibaba Cloud. KMS ensures the privacy, integrity, and availability of your keys at minimal cost. Therefore, you can focus on the development of encryption and decryption functions that best suit your needs. You can view and manage keys in the KMS console.

    KMS encrypts data based on AES-256 and stores and manages CMKs that are used to encrypt data keys. KMS also generates data keys that can be used to encrypt and decrypt data. In addition, envelope encryption provided by KMS can protect your data and corresponding data keys from unauthorized access. You can use the default CMK stored in KMS or generate a CMK by using your BYOK materials or BYOK materials provided by Alibaba Cloud.

  • Server-side encryption using OSS-managed keys (SSE-OSS)

    This encryption method is an attribute of objects. OSS server-side encryption uses AES-256 to encrypt objects with different data keys. To improve security, OSS uses master keys to encrypt cryptographic keys. This method is suitable for encryption and decryption of multiple objects at a time.

    In this method, data keys are generated and managed by OSS. To use server-side encryption to encrypt an object, you can specify AES-256 as the default server-side encryption algorithm for the bucket to which the object is uploaded or specify the x-oss-server-side-encryption header in the request to upload the object and set the header to AES256.

For more information, see Server-side encryption.

Client-side encryption

Client-side encryption is performed to encrypt objects on the local client before the objects are uploaded to OSS. When you use client-side encryption, you are responsible for the integrity and validity of the CMKs. When you copy or migrate encrypted data, you must ensure the integrity and validity of the object metadata related to client-side encryption.

In client-side encryption, a random data key is generated for each object to perform symmetric encryption on the object. The client uses a CMK to generate a random data key. The encrypted data key is saved as a part of the object metadata and stored on the OSS server. When an encrypted object is downloaded, the client uses the CMK to decrypt the random data key and then uses the data key to decrypt the object. The CMK is used only on the client and is not transmitted over the network or stored on the server, which ensures data security.

You can use two types of CMKs for client-side encryption:

  • KMS-managed CMKs

    If you use a KMS-managed CMK for client-side encryption, you specify a CMK ID when you upload an object, without the need to provide the OSS encryption client with a data key. The following figure shows the encryption process.

  • Use customer-managed CMKs

    If you use customer-managed CMKs for client-side encryption, you need to generate and manage CMKs. When you implement client-side encryption on an object that you want to upload, you must upload a symmetric or an asymmetric CMK to the client. The following figure shows the encryption process.


For more information, see Client-side encryption.

Encryption in transit using HTTPS over SSL or TLS

OSS supports access over HTTP and HTTPS. You can configure a bucket policy to allow only access over HTTPS (TLS) for better security in data transmission. TLS is a cryptographic protocol that provides data security and data integrity for communications over networks. For more information, see Configure bucket policies to authorize other users to access OSS resources.