You can enable gateway encryption when you create a gateway. After gateway encryption is enabled, files in the gateway cache will be encrypted before they are uploaded to OSS. Only encrypted files in OSS will be synchronized to the local client. This topic describes how to enable gateway encryption.
- You have created a file gateway and added a cache. For more information, see Create a file gateway and Add a cache disk.
- You have created an OSS bucket. For more information, see Create a bucket.
- You have created an Alibaba Cloud KMS key in the region where the target OSS bucket is deployed, or an external key in the KMS console.
When you enable gateway encryption, pay attention to the following notes.
- Only users in the whitelist can use gateway encryption. If you are not in the whitelist and want to use this feature, submit a ticket.
- Currently, only Enhanced and Advanced gateways support this feature.
- When this feature is enabled for a share, unencrypted files in the associated OSS bucket will not be synchronized to the local client.
Gateway encryption can be enabled only when you create a share. The following procedure shows how to enable this feature when you create a share.
- Log on to the CSG console.
- Select the region where the target file gateway is located.
- Go to the Gateway Cluster page, find the target file gateway, and then click the name of the gateway to go to the Share tab.
- On the Share tab, click Create.
- On the Bucket Setting tab, set the required parameters as described in Bucket settings, and set the following additional parameters. Click Next.
Parameter Description Encryption Select an encryption type. This example uses Gateway Side Encryption. CMK ID The Customer Master Key (CMK) ID that is used to specify the files to be encrypted. Enter the key that you created in the KMS console. KMS Rotate Select whether to enable key rotation. After you enable key rotation, the gateway periodically generates keys based on the CMK ID to encrypt data. This improves data security. KMS Rotate Period This parameter is available only when you set the KMS Rotate parameter to Yes. This parameter specifies the frequency to generate new keys. The rotation period is measured in seconds.
Valid values are from 3,600 to 31,104,000 seconds (360 days).
- On the Basic Information tab, set the required parameters and click Next.
- On the Advanced Settings tab, set the required parameters and click Next.
- Click Next to go to the Summary tab, make sure that the specified information is correct, and then click OK.
After the share is created, you can click the + icon on the left side of the share name to verify that Encryption is set to Gateway Side Encryption.