All Products
Search

This Product

    Object Storage Service:Data encryption

    Document Center

    Object Storage Service:Data encryption

    Last Updated:Aug 01, 2025

    Object Storage Service (OSS) offers server-side encryption, client-side encryption, and encrypted data transmission over HTTPS using SSL/TLS. These features help protect your cloud data from potential security risks.

    Server-side encryption

    OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts it before performing data persistence. When you download the data, OSS automatically decrypts it and returns the plaintext data. The HTTP response header indicates that the data was encrypted on the server.

    OSS provides data-at-rest protection using server-side encryption. This feature is suitable for application scenarios with high security or compliance requirements for file storage, such as storing deep learning sample files or online collaborative document data. OSS provides the following two server-side encryption methods:

    • Use KMS-managed keys for encryption and decryption (SSE-KMS)

      When you upload a file, you can use the default customer master key (CMK) that is managed by Key Management Service (KMS) or a specified CMK ID to encrypt and decrypt data. This method is suitable for encrypting and decrypting large amounts of data. Because data does not need to be sent to the KMS server for encryption and decryption, this is a low-cost method.

      KMS is a secure and easy-to-use management service from Alibaba Cloud that helps you protect the confidentiality, integrity, and availability of your keys. With KMS, you can securely and conveniently use keys and focus on developing your encryption and decryption features. You can view and manage KMS keys in the KMS console.

      KMS complements the AES-256 encryption algorithm by storing the customer master key (CMK) that encrypts data keys and by generating data encryption keys. The envelope encryption mechanism further prevents unauthorized data access. You can generate a CMK using the default KMS key managed by OSS or the Bring-Your-Own-Key (BYOK) method. The BYOK materials can be provided by Alibaba Cloud or by you.

      The following figure shows the process of server-side encryption with SSE-KMS.

      image

    • Use OSS-managed encryption (SSE-OSS)

      This encryption method is fully managed by OSS and is configured as a property of an object. OSS uses the industry-standard AES-256 (256-bit Advanced Encryption Standard) algorithm to encrypt each object with a unique key. As an additional protection, a master key is used to encrypt the object key. This method is suitable for batch data encryption and decryption.

      In this encryption method, OSS handles the generation and management of data encryption keys. You can set the default server-side encryption method for a bucket to AES-256. You can also include the X-OSS-server-side-encryption header in your request and set its value to AES256 when you upload an object or modify its metadata. This enables server-side encryption for the object.

    For more information, see Server-side encryption in the OSS Developer Guide.

    Client-side encryption

    Client-side encryption is the process of encrypting files (objects) locally before you upload them to Object Storage Service (OSS). When you use client-side encryption, you are responsible for the integrity of the master key. When you copy or migrate encrypted data, you are also responsible for the integrity of the encrypted metadata.

    When you use client-side encryption, a unique, randomly generated data encryption key is used to symmetrically encrypt each object's data. The master key is then used to encrypt this data encryption key. The encrypted data key is stored as the object's metadata on the server. During decryption, the master key first decrypts the encrypted data key. Then, the resulting plaintext data key is used to decrypt the object's data. The master key is used only for local computations on the client and is never transmitted over the network or stored on the server, which ensures its security.

    You can use master keys in the following two ways:

    • Use KMS-managed customer master keys

      When you use a KMS-managed customer master key for client-side data encryption, you do not need to provide an encryption key to the OSS encryption client. You only need to specify the KMS customer master key ID (CMK ID) when you upload an object. The following figure shows this process.

      image

    • Use customer-managed CMK

      When you use a customer-managed key, you are responsible for generating and storing the encryption key. When the local client encrypts an object, you provide the encryption key (a symmetric or asymmetric encryption key) to the local encryption client. The following figure shows this encryption process.

      image

    For more information, see Client-side encryption in the OSS Developer Guide.

    Encrypted transmission over HTTPS based on SSL/TLS

    OSS supports access over HTTP or HTTPS. You can set the TLS version to improve the security of data transmission. Transport Layer Security (TLS) provides confidentiality and data integrity between two communicating applications, which helps protect your cloud data from security risks.