Apsara File Storage NAS allows you to enable data encryption at rest when you create a file system. This topic describes how to encrypt a file system and how data encryption at rest works.

Encrypt a file system

If you need to encrypt stored data and metadata of a file system, you can create a file system by performing the following steps.

  1. Log on to the NAS console.
  2. Choose NAS > File System List and click Create File System.
    If you want to create an Extreme NAS file system, click Subscription or Pay-as-you-go in the NAS Extreme section.
  3. On the buy page, select the encryption type. For more information about other parameters, see Create a file system.
  4. Click Buy Now and follow the instructions on the page to complete the purchase.

Implementation of data encryption at rest

NAS uses the 256-bit advanced encryption standard (AES-256) to encrypt data that is stored in file systems and Key Management Service (KMS) to manage keys.

NAS uses customer master keys (CMKs) and envelope encryption to encrypt file systems. Each file system has a CMK and a data key. You can use only service keys that are provided by NAS as CMKs.

NAS encrypts data when the data is written to a file system for which data encryption at rest is enabled. When applications attempt to read data from the file system, NAS decrypts the data before sending the data to the applications. You do not need to modify your application code. The preceding operations that NAS performs are obscured.