OSS provides server-side encryption, client-side encryption, and HTTPS transmission encryption (SSL/TLS) to protect your data at rest and in transit.
Server-side encryption
OSS supports server-side encryption (SSE) for uploaded data. OSS encrypts data before persisting it and automatically decrypts data on download. The HTTP response header indicates that server-side encryption was applied.
Server-side encryption protects data at rest. It suits scenarios that require high security or compliance, such as storing deep learning samples or collaborative documents. OSS supports two SSE methods:
-
SSE-KMS: KMS-managed key encryption
You can encrypt objects with the default KMS-managed customer master key (CMK) or a specified CMK ID. This method handles large-scale encryption at low cost because data is not sent to the KMS server over the network.
KMS is a key management service provided by Alibaba Cloud that handles key confidentiality, integrity, and availability so you can focus on your encryption logic. You can view and manage keys in the KMS console.
KMS uses AES-256 and envelope encryption to prevent unauthorized access. It generates data encryption keys and encrypts them with your CMK. You can use the default OSS-managed KMS key or Bring-Your-Own-Key (BYOK). BYOK key material can be provided by Alibaba Cloud or imported by you.
SSE-KMS encryption workflow:
-
SSE-OSS: OSS-managed encryption
SSE-OSS is an object attribute that uses AES-256 to encrypt each object with a unique key. A master key further encrypts these data keys. This method suits batch encryption scenarios.
OSS generates and manages all data encryption keys. You can set the default encryption method for a bucket to AES-256, or include the
X-OSS-server-side-encryptionheader with valueAES256when uploading or modifying an object.
Client-side encryption
Client-side encryption encrypts objects locally before uploading them to OSS. You are responsible for the integrity and correctness of the master key and the encryption metadata during copy or migration operations.
A random data encryption key is generated per object and used to encrypt the object data symmetrically. The master key then encrypts this data key, and the encrypted data key is stored as object metadata on the server. For decryption, the master key decrypts the data key, which then decrypts the object. The master key never leaves the client — it is not transmitted over the network or stored on the server.
Two methods are available for managing master keys:
-
KMS-managed customer master keys
With a KMS-managed CMK, you only specify the CMK ID when uploading — no encryption key is needed on the client. The following figure illustrates this process.
-
Customer-managed keys
With customer-managed keys, you generate and store the encryption keys yourself. You provide a symmetric or asymmetric key to the local encryption client for each operation. The following figure illustrates the encryption process.
In-transit encryption (HTTPS/TLS)
OSS supports HTTP and HTTPS access. You can set the TLS version to meet your security requirements. TLS provides confidentiality and data integrity between communicating applications, protecting data in transit.