Apsara File Storage NAS supports server-side encryption. NAS encrypts data that is stored in file systems. When you access data, NAS decrypts and sends you the required data. This topic describes how to implement server-side encryption.
- You can enable the data encryption feature only when you create a file system.
- You cannot disable the data encryption feature that is enabled for a file system.
If you require a high level of security or compliance, we recommend that you enable the server-side encryption feature. Server-side encryption uses the industry-standard AES-256 algorithm to encrypt data in the NAS file system. These keys are used to encrypt data in file systems.To prevent against unauthorized data access, server-side encryption uses envelope encryption. The keys of server-side encryption are generated and managed by Key Management Service (KMS). KMS allows you to ensure the confidentiality, integrity, and availability of keys.
- NAS-managed key
You can use NAS-managed key to encrypt each file system. NAS creates and manages keys in the KMS console. You can view a key and modify the permissions of the key. However, you cannot delete or disable the key.
- User-managed key
You can use User-managed key that are hosted by KMS to encrypt and decrypt file systems. If a key is disabled or deleted, the file system that is encrypted by the key cannot be accessed. User-managed key are generated by using the following two methods:
- Use KMS to create: You can create customer master keys (CMKs) in the KMS console. Then, you can configure and manage these CMKs. The management includes enabling, disabling, deleting, and rotating CMKs.
- Bring your own key (BYOK): To meet some specified requirements for security, you can import BYOK keys that are generated by on-premises services or cloud services to KMS. These keys are used as CMKs. For more information, see Import key material.
Log on to the NAS console. Click Create File System and select General Purpose NAS or Extreme(Pay-as-you-go). On the buy page, select NAS-managed key or User-managed key(KMS) in the Encryption Type field based on your business requirements. For more information, see Create a General-purpose NAS file system and Create an Extreme NAS file system.
- NAS-managed key encryption: General-purpose NAS and Extreme NAS in all regions.
- User-managed key encryption: Extreme NAS in all regions , General-purpose NAS in the US(Silicon Valley), US(Virginia), UK(London) and Australia(Sydney) regions.
- How can I use the server-side encryption feature of NAS?
- Which data encryption method do I need to select, NAS-managed key or custom key?
- If a CMK that applies to a NAS file system is disabled or deleted by mistake, how can I restore access to the data of the NAS file system?
- FAQ about server-side encryption