Object Storage Service (OSS) supports server-side encryption for uploaded data. When you upload data to OSS, OSS encrypts the uploaded data and then persistently stores the encrypted data. When you download the encrypted data, OSS automatically decrypts the data, returns the original data to you, and declares in the header of the response that the data had been encrypted on the server.
Usage notes
Before you configure server-side encryption, make sure that you familiarize yourself with this feature. For more information, see Server-side encryption.
In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions, endpoints and open ports.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.
To configure server-side encryption for a bucket, you must have the
oss:PutBucketEncryption
permission. To query the server-side encryption configurations of a bucket, you must have theoss:GetBucketEncryption
permission. To delete the server-side encryption configurations of a bucket, you must have theoss:DeleteBucketEncryption
permission. For more information, see Attach a custom policy to a RAM user.
Configure server-side encryption for a bucket
You can configure a default server-side encryption method for a bucket. After the method is configured, all objects that are uploaded to the bucket are encrypted by using the default method if no server-side encryption method is configured for the objects.
The following sample code provides an example on how to configure a default server-side encryption method for a bucket:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the China (Hangzhou) region is used as the endpoint. Specify your actual endpoint.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Set the default server-side encryption method of the bucket to SSE-OSS.
$config = new ServerSideEncryptionConfig("AES256");
$ossClient->putBucketEncryption($bucket, $config);
// Set the default server-side encryption method of the bucket to KMS without specifying a CMK ID.
$config = new ServerSideEncryptionConfig("KMS");
$ossClient->putBucketEncryption($bucket, $config);
// Set the default server-side encryption method of the bucket to KMS and specify a CMK ID.
$config = new ServerSideEncryptionConfig("KMS", "your kms id");
$ossClient->putBucketEncryption($bucket, $config);
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
For more information about the API operation that you can call to configure server-side encryption for a bucket, see PutBucketEncryption.
Query the server-side encryption configurations of a bucket
The following sample code provides an example on how to query the server-side encryption configurations of a bucket:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\ServerSideEncryptionConfig;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the China (Hangzhou) region is used as the endpoint. Specify your actual endpoint.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Query the server-side encryption configurations of the bucket.
$config = $ossClient->getBucketEncryption($bucket);
// Display the server-side encryption configurations of the bucket.
print($config->getSSEAlgorithm());
print($config->getKMSMasterKeyID());
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
For more information about the API operation that you can call to query the server-side encryption configurations of a bucket, see GetBucketEncryption.
Delete the server-side encryption configurations of a bucket
The following sample code provides an example on how to delete the server-side encryption configurations of a bucket:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\Core\OssException;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the China (Hangzhou) region is used as the endpoint. Specify your actual endpoint.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
"signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
"region"=> "cn-hangzhou"
);
$ossClient = new OssClient($config);
try {
// Delete the server-side encryption configurations of the bucket.
$ossClient->deleteBucketEncryption($bucket);
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
For more information about the API operation that you can call to delete the server-side encryption configurations of a bucket, see DeleteBucketEncryption.