Enable Server-Side Encryption with Customer Managed Key

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to examine, listed in the Bucket Name column.

05 Choose Content Security from the resource navigation panel and select Server-side Encryption.

06 Choose Settings from the Server-side Encryption section to view the Server-Side Encryption (SSE) feature settings.

07 For compliance, the Encryption Method must be set to KMS and the CMK value must be the ID of a customer-managed key (CMK). To determine the type of the KMS key used by Server-side Encryption, copy the key ID specified by the CMK, navigate to Key Management Service console available at https://yundun.console.aliyun.com/?p=kms#/overview, and choose Keys under Resource.

08 Select the Keys tab, paste the key ID copied at the previous step into the Key ID box, and press Enter.

09 Click on the name (link) of the resulted KMS key, listed in the Key column.

10 Check the Created By attribute value to determine the KMS key creator. If the key creator is not a customer/user, the selected KMS key is not a customer-managed key (CMK), therefore Server-Side Encryption (SSE) with customer-managed keys (CMKs) is disabled for the selected OSS bucket.

11 Repeat steps no. 4 - 10 for each OSS bucket available within your Alibaba Cloud account.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run ls command (macOS/Linux/Windows) to list the OSS buckets available within your Alibaba Cloud account:

ossutil ls -s

03 The command output should return the name of each OSS bucket available in your cloud account:

oss://tm-project-trail-bucket
oss://tm-project-data-bucket
oss://tm-project-app-utils
oss://tm-project-custom-logs
Bucket Number is: 4

0.235205(s) elapsed

04 Run bucket-encryption command (macOS/Linux/Windows) to describe the Server-Side Encryption (SSE) configuration information available for the selected OSS bucket:

ossutil bucket-encryption --method get oss://tm-project-trail-bucket

05 The command output should return the requested configuration information:

SSEAlgorithm: KMS
KMSMasterKeyID: abcd1234-abcd-1234-abcd-1234abcd1234
KMSDataEncryption:

06 Run kms DescribeKey command (macOS/Linux/Windows) to describe the KMS key configured for Server-Side Encryption (SSE), returned at the previous step (if the KMSMasterKeyID value is returned):

aliyun kms DescribeKey --KeyId 'abcd1234-abcd-1234-abcd-1234abcd1234'

07 The command output should return the information available for the specified KMS key (including the key creator):

{
	"KeyMetadata": {
		"Arn": "acs:kms:eu-west-1:1234567890123456:key/abcd1234-abcd-1234-abcd-1234abcd1234",
		"AutomaticRotation": "Disabled",
		"CreationDate": "2024-01-26T11:19:27Z",
		"Creator": "Rds",
		"DeleteDate": "",
		"DeletionProtection": "Disabled",
		"Description": "",
		"KeyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"KeySpec": "Aliyun_AES_256",
		"KeyState": "Enabled",
		"KeyUsage": "ENCRYPT/DECRYPT",
		"LastRotationDate": "2024-01-26T11:20:27Z",
		"MaterialExpireTime": "",
		"Origin": "Aliyun_KMS",
		"PrimaryKeyVersion": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"ProtectionLevel": "SOFTWARE"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

08 Check the information returned at steps no. 5 and 7 to determine the Server-Side Encryption (SSE) feature configuration available for the selected OSS bucket. For compliance, the SSEAlgorithm must be set to KMS and the KMSMasterKeyID must be the ID of a customer-managed key (CMK). If the SSEAlgorithm is not KMS and the KMSMasterKeyID is not the ID of a CMK, Server-Side Encryption (SSE) with customer-managed keys (CMKs) is disabled for the selected OSS bucket.

09 Repeat steps no. 4 - 8 for each OSS bucket available within your Alibaba Cloud account.

01 Sign in to your Alibaba Cloud account.

02 Navigate to Object Storage Service (OSS) console available at https://oss.console.aliyun.com/overview.

03 In the left navigation panel, under Object Storage Service (OSS), choose Buckets.

04 Click on the name (link) of the OSS bucket that you want to configure, listed in the Bucket Name column.

05 Choose Content Security from the resource navigation panel and select Server-side Encryption.

06 Choose Settings from the Server-side Encryption section and perform the following actions:

1. For Encryption Method choose KMS.
2. For Encryption Algorithm choose AES256.
3. Choose your own KMS customer-managed key (CMK) from the CMK dropdown list.
4. Choose Save to apply the configuration changes. This will enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected OSS bucket.

07 Repeat steps no. 4 - 6 for each OSS bucket available in your Alibaba Cloud account.

01 Install and configure ossutil. ossutil is a command-line tool for Alibaba Cloud's Object Storage Service (OSS).

02 Run bucket-encryption command (macOS/Linux/Windows) to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected OSS bucket. Use the --kms-masterkey-id command parameter to specify the ID of your own KMS customer-managed key (CMK):

ossutil bucket-encryption 
  --method put oss://tm-project-trail-bucket 
  --sse-algorithm KMS  
  --kms-masterkey-id 1234abcd-1234-abcd-1234-abcd1234abcd

03 If the operation is successful, the command output should return the execution time, e.g.:

0.218990(s) elapsed

04 Repeat steps no. 2 and 3 for each OSS bucket available in your Alibaba Cloud account.