Apsara File Storage NAS (NAS) supports server-side encryption. If you require a high level of security or compliance, we recommend that you enable the server-side encryption feature. After this feature is enabled, NAS encrypts data stored in file systems. When you access data in file systems, NAS automatically decrypts the encrypted data and returns the data to you. This topic describes how the server-side encryption feature works, supported regions, and related operations.
Limits
You can enable the data encryption feature only when you create a file system.
You cannot disable the data encryption feature for a file system.
Encryption methods
If you require a high level of security or compliance, we recommend that you enable the server-side encryption feature. Server-side encryption uses the industry-standard AES-256 algorithm to generate keys. These keys are used to protect static data in file systems. To prevent against unauthorized data access, server-side encryption uses envelope encryption. The keys of server-side encryption are generated and managed by Key Management Service (KMS). KMS allows you to ensure the confidentiality, integrity, and availability of keys. For more information, see Use envelope encryption to encrypt and decrypt local data.
NAS supports the following two scenario-specific server-side encryption methods.
You can use keys that are hosted by NAS free of charge. If you use custom keys hosted by KMS, you are charged a small amount of fee. For more information, see Billing of KMS.
NAS-managed keys
You can use NAS-managed keys to encrypt file systems. NAS creates and manages keys in the KMS console. You can view a key and modify the permissions of the key. However, you cannot delete or disable the key.
Custom keys
You can use custom keys that are hosted by KMS to encrypt and decrypt file systems. If a key is disabled or deleted, the file system that is encrypted by the key cannot be accessed. Custom keys are generated by using the following two methods:
Use KMS to create: You can create customer master keys (CMKs) in the KMS console. Then, you can configure and manage these CMKs. You can enable, disable, delete, and rotate CMKs.
Bring your own key (BYOK): To meet specific requirements for security, you can import BYOK keys that are generated by on-premises services or cloud services to KMS. These keys are used as CMKs. For more information, see Import key material.
Method
Log on to the NAS console. On the buy page, set the Encryption Type parameter to NAS-managed Key or User-managed Key (KMS) based on your business requirements. For more information, see Create a General-purpose NAS file system in the NAS console and Create an Extreme NAS file system in the NAS console.
Supported regions
NAS-managed key encryption
General-purpose NAS file systems: all regions
Extreme NAS file systems: all regions
Custom key encryption
General-purpose NAS file systems:
US (Silicon Valley)
US (Virginia)
UK (London)
Australia (Sydney)
Germany (Frankfurt)
India (Mumbai)
Singapore
Extreme NAS file systems: all regions
FAQ
References
If you want to encrypt data in transit, you can enable the encryption in transit feature when you mount a file system. This ensures that data is not stolen or tampered with during transmission. For more information, see Encryption in transit for NFS file systems or Encryption in transit for SMB file systems.