Configure server-side encryption on OSS on CloudBox buckets - Object Storage Service

OSS on CloudBox encrypts objects at rest using server-side encryption with OSS-managed keys (SSE-OSS). When you enable encryption for a bucket, every object uploaded after that point is automatically encrypted using AES-256 before being stored and decrypted transparently on download. No code changes are required in your application.

Prerequisites

Before you begin, make sure you have:

OSS on CloudBox available in your region. Supported regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Beijing), and China (Chengdu)
A cloud box purchased. For details, see Purchase a cloud box
A Virtual Private Cloud (VPC) and a vSwitch created in OSS on CloudBox. For details, see Create a VPC and a vSwitch
A VPC internal network set up with a single tunnel for secure connection. To apply, contact technical support

How it works

SSE-OSS uses AES-256, one of the strongest symmetric encryption algorithms available. OSS generates a unique data encryption key for each object and encrypts that key with a master key. OSS manages the full lifecycle of both keys and protects them with strong, multi-factor security measures.

When OSS returns an encrypted object in an HTTP response, it includes a header indicating that server-side encryption was applied.

Encryption precedence: If you set a default encryption method for a bucket, you can still specify a different method per object when uploading or copying. The object-level setting takes precedence over the bucket default.

If a PUT request includes the x-oss-server-side-encryption header, OSS uses that header value to encrypt the object.
If a PUT request does not include the header, OSS applies the bucket's default encryption setting.

Enable server-side encryption

Use the OSS console

Method 1: Enable encryption when creating a bucket

Log on to the OSS consoleOSS console.
In the left navigation pane, choose Data Service > OSS on CloudBox Buckets, then click Create Bucket.
On the Create Bucket page, configure the encryption parameters:
Parameter Description
Encryption Method Select OSS-Managed to enable SSE-OSS. Select None to disable encryption.
Encryption Algorithm AES256 (the only supported algorithm)
Configure other parameters as needed, then complete bucket creation. For details on other parameters, see Create an OSS on CloudBox bucket.

Parameter	Description
Encryption Method	Select OSS-Managed to enable SSE-OSS. Select None to disable encryption.
Encryption Algorithm	AES256 (the only supported algorithm)

Method 2: Enable encryption for an existing bucket

Log on to the OSS consoleOSS console.
In the left navigation pane, choose Data Service > OSS on CloudBox Buckets, then click the bucket name.
In the left navigation pane, choose Content Security > Server-Side Encryption.
In the Server-Side Encryption section, click Settings.
Configure the encryption parameters:
Parameter Description
Encryption Method Select OSS-Managed to enable SSE-OSS. Select None to disable encryption.
Encryption Algorithm AES256 (the only supported algorithm)
Click Save.

Parameter	Description
Encryption Method	Select OSS-Managed to enable SSE-OSS. Select None to disable encryption.
Encryption Algorithm	AES256 (the only supported algorithm)

Use the Alibaba Cloud SDK for Java

Requires SDK version 3.15.0 or later.

import com.aliyun.oss.*;
import com.aliyun.oss.model.*;
import com.aliyun.oss.common.auth.DefaultCredentialProvider;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.auth.CredentialsProviderFactory;
import com.aliyun.oss.common.auth.EnvironmentVariableCredentialsProvider;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // Specify the data endpoint of the OSS on CloudBox bucket.
        String endpoint = "https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com";
        // Load credentials from environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET.
        EnvironmentVariableCredentialsProvider credentialsProvider =
                CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the bucket name.
        String bucketName = "examplebucket";
        // Specify the region where the bucket is located.
        String region = "cn-hangzhou";
        // Specify the CloudBox ID.
        String cloudBoxId = "cb-f8z7yvzgwfkl9q0h****";

        // Build the OSSClient. Call shutdown() when done to release resources.
        ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
        conf.setSignatureVersion(SignVersion.V4);
        OSS ossClient = OSSClientBuilder.create()
                .endpoint(endpoint)
                .credentialsProvider(new DefaultCredentialProvider(credentialsProvider.getCredentials()))
                .clientConfiguration(conf)
                .region(region)
                .cloudBoxId(cloudBoxId)
                .build();

        try {
            // Configure SSE-OSS with AES-256 as the default encryption for the bucket.
            ServerSideEncryptionByDefault applyServerSideEncryptionByDefault =
                    new ServerSideEncryptionByDefault(SSEAlgorithm.AES256);
            ServerSideEncryptionConfiguration sseConfig = new ServerSideEncryptionConfiguration();
            sseConfig.setApplyServerSideEncryptionByDefault(applyServerSideEncryptionByDefault);
            SetBucketEncryptionRequest request = new SetBucketEncryptionRequest(bucketName, sseConfig);
            ossClient.setBucketEncryption(request);
            System.out.println("Server-side encryption is enabled for the OSS on CloudBox bucket.");
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Replace the following placeholders before running the code:

Placeholder	Description	Example
`cb-f8z7yvzgwfkl9q0h****`	CloudBox ID	`cb-f8z7yvzgwfkl9q0h1234`
`examplebucket`	OSS on CloudBox bucket name	`my-cloudbox-bucket`
`cn-hangzhou`	Region where the bucket is located	`cn-shanghai`

Set the environment variables before running:

export OSS_ACCESS_KEY_ID=<your-access-key-id>
export OSS_ACCESS_KEY_SECRET=<your-access-key-secret>

Use ossutil

Method 1: Enable encryption when creating a bucket

For details, see bucket-encryption (server-side encryption).

Method 2: Upload an object and specify an encryption method

For details, see Upload a file and specify an encryption method.

Use the REST API

For high-customization scenarios, call the REST API directly. Note that you must calculate request signatures manually.

To set default encryption for a bucket: PutBucketEncryption
To specify encryption when uploading an object: PutObject (use the x-oss-server-side-encryption header with value AES256)