how to implement server-side encryption by using oss sdk for go 2.0 - Object Storage Service

OSS supports server-side encryption (SSE). When you upload data, OSS encrypts and stores the data. When you download the data, OSS automatically decrypts it and returns the raw data. The HTTP response header indicates that the data was encrypted on the server.

Notes

Before you configure server-side encryption, make sure you understand the feature. For more information, see Server-side encryption.
The sample code in this topic uses the China (Hangzhou) region ID cn-hangzhou and a public endpoint. If you access OSS from another Alibaba Cloud service in the same region, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.
This topic uses environment variables to read access credentials. For more information about how to configure access credentials, see Configure access credentials.
To configure bucket encryption, you must have the oss:PutBucketEncryption permission. To retrieve bucket encryption configurations, you must have the oss:GetBucketEncryption permission. To delete bucket encryption configurations, you must have the oss:DeleteBucketEncryption permission. For more information, see Grant custom access policies to RAM users.

Sample code

Configure bucket encryption

You can use the following code to set the default encryption method for a bucket. After this configuration is successful, all objects uploaded to the bucket without a specified encryption method are encrypted using the bucket's default method.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The storage region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set the encryption rule for the bucket.
	request := &oss.PutBucketEncryptionRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
		ServerSideEncryptionRule: &oss.ServerSideEncryptionRule{
			ApplyServerSideEncryptionByDefault: &oss.ApplyServerSideEncryptionByDefault{
				SSEAlgorithm:      oss.Ptr("KMS"), // Use the KMS encryption algorithm.
				KMSDataEncryption: oss.Ptr("SM4"), // Use the SM4 data encryption algorithm.
			},
		},
	}

	// Send the request to set the encryption rule for the bucket.
	result, err := client.PutBucketEncryption(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket encryption %v", err)
	}

	// Print the result of setting the encryption rule for the bucket.
	log.Printf("put bucket encryption result:%#v\n", result)
}

Get bucket encryption configurations

You can use the following code to retrieve the bucket encryption configuration.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The storage region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to get the bucket encryption configuration.
	request := &oss.GetBucketEncryptionRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
	}

	// Get the bucket encryption configuration and process the result.
	result, err := client.GetBucketEncryption(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get bucket encryption %v", err)
	}

	// Print the result of getting the bucket encryption configuration.
	log.Printf("get bucket encryption result:%#v\n", result)
}

Delete bucket encryption configurations

You can use the following code to delete the bucket encryption configuration.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The storage region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to delete the bucket encryption configuration.
	request := &oss.DeleteBucketEncryptionRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
	}

	// Delete the bucket encryption configuration and process the result.
	result, err := client.DeleteBucketEncryption(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to delete bucket encryption %v", err)
	}

	// Print the result of deleting the bucket encryption configuration.
	log.Printf("delete bucket encryption result:%#v\n", result)
}

References

For the complete sample code for server-side encryption, see put_bucket_encryption.go, get_bucket_encryption.go, and delete_bucket_encryption.go.
For more information about the API operation to configure server-side encryption, see PutBucketEncryption.
For more information about the API operation to retrieve server-side encryption configurations, see GetBucketEncryption.
For more information about the API operation to delete server-side encryption configurations, see DeleteBucketEncryption.