All Products
Search

This Product

    Cloud Parallel File Storage:Data encryption

    Document Center

    Cloud Parallel File Storage:Data encryption

    Last Updated:Dec 31, 2025

    CPFS General-purpose Edition supports server-side encryption and encryption in transit to protect your data throughout its lifecycle.

    • Server-side encryption: Protects data at rest and prevents data breaches caused by physical disk loss or theft.

    • Encryption in transit: Protects data in transit and prevents eavesdropping or tampering during network transmission.

    How it works

    • Server-side encryption

      Server-side encryption uses the industry-standard envelope encryption mechanism, which is implemented using Alibaba Cloud Key Management Service (KMS). The system generates a unique data encryption key (DEK) for each file system and uses the AES-256 algorithm to encrypt your data. The DEK is protected by a customer master key (CMK) that you specify in KMS. This process is transparent to you. It ensures data security while maintaining high read and write performance using a DEK caching mechanism.

    • Encryption in transit

      Encryption in transit provides end-to-end secure data transmission using the open source software Stunnel. When you mount a file system, the CPFS client tool (aliyun-alinas-utils) starts a Stunnel proxy process on the ECS instance. This process encapsulates all NFS traffic in a TLS-encrypted tunnel for transmission. This encapsulation effectively prevents data from being eavesdropped on or tampered with over the network.

    Choose an encryption solution

    For businesses with the highest security requirements, you can enable both server-side encryption and encryption in transit for end-to-end data protection.

    Comparison Dimensions

    Server-side encryption

    Encryption in transit

    Core value

    Protects the security of data at rest and prevents data breaches from physical media.

    Protects the security of data in transit and prevents network eavesdropping.

    Scenarios

    • Data must meet specific security and compliance audit requirements.

    • Business data is highly sensitive and requires protection against the risk of physical breaches.

    • Data is transmitted over the public network or an untrusted network.

    • Meets the security requirements of regulations such as MLPS and GDPR for transmission links.

    Performance impact

    Input/output operations per second (IOPS) and throughput may decrease slightly. CPU overhead increases by a small amount.

    A performance loss of about 10% occurs. Access latency increases by 10% and IOPS decreases by 10%.

    For throughput-intensive applications, the Stunnel process for each mount target might occupy an entire CPU core in extreme cases. Reserve sufficient CPU resources based on your business workload.

    Cost

    Free

    Management complexity

    One-time configuration during creation.

    If a custom key is accidentally deleted, the data is permanently lost and cannot be recovered.

    Requires client installation and maintenance. You must also monitor the certificate validity period.

    An expired client certificate causes the file system to stop responding.

    Configure server-side encryption

    You can configure server-side encryption only when you create a file system. After a file system is created, you cannot disable encryption or change the associated key. Enabling encryption has a slight impact on performance. IOPS and throughput might decrease slightly.

    Step 1: Choose a key management method

    Choose a key management method based on your security and compliance requirements:

    • Service-managed key: The CPFS service creates and manages the key for you. You do not need to manage the key lifecycle, and you have only audit permissions. This method is free, easy to manage, and suitable for general security scenarios.

    • Custom Key (KMS): You can use a key that you manage in KMS to encrypt the file system. You have full lifecycle management permissions for the key, including creation, enabling, disabling, rotation, and deletion. This method is suitable for scenarios with strict compliance requirements or where you need full control over your keys. Two key sources are supported:

      • Keys created in KMS: Create a customer master key (CMK) in the KMS console.

      • Bring-Your-Own-Key (BYOK): Import an externally generated key into KMS.

      If you select Custom Key, you must first create or import a customer master key (CMK) in the Key Management Service console.

    Step 2: Create an encrypted file system

    1. Log on to the CPFS console and navigate to the file system creation page.

    2. For the Encryption Type parameter, select Service-managed key or Custom Key (KMS).

    3. If you select Custom Key (KMS), select a custom key that you have created from the Key ID drop-down list.

      The first time you use this feature, the system guides you to create a service-linked role to grant CPFS access to your KMS resources.

    4. Configure the other parameters and then create the file system.

    Step 3: Verify the encryption configuration

    After the file system is created, check the status in the Encryption column of the file system list to confirm that encryption is enabled.

    All data written to the file system is now automatically encrypted when stored.

    Configure encryption in transit

    You can implement encryption in transit by adding a specific parameter when you mount the file system. It protects NFS traffic during network transmission.

    Prerequisites

    Step 1: Install the CPFS-NFS client

    1. Log on to the ECS instance on which you want to mount the CPFS file system. For more information about connection methods, see Overview of ECS remote connection methods.

    2. Download and install the CPFS-NFS client.

      Alibaba Cloud Linux

      1. Download the CPFS-NFS client.

        wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.al.noarch.rpm

      2. Install the CPFS-NFS client.

        sudo yum install aliyun-alinas-utils-*.rpm
      CentOS

      1. Download the CPFS-NFS client.

        wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.el.noarch.rpm

      2. Install the CPFS-NFS client.

        sudo yum install aliyun-alinas-utils-*.rpm
      Ubuntu

      1. Download the CPFS-NFS client.

        sudo wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.deb -O /tmp/aliyun-alinas-utils-latest.deb

      2. Install the CPFS-NFS client.

        sudo apt-get update
sudo apt-get install /tmp/aliyun-alinas-utils-latest.deb
      Debian

      1. Download the CPFS-NFS client.

        sudo wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.deb -O /tmp/aliyun-alinas-utils-latest.deb

      2. Install the CPFS-NFS client.

        sudo apt-get update
sudo apt-get install /tmp/aliyun-alinas-utils-latest.deb

    3. Verify that the CPFS-NFS client is installed.

      which mount.cpfs-nfs

      The following response indicates a successful installation:

      /usr/sbin/mount.cpfs-nfs

    Step 2: Mount the file system with encryption in transit enabled

    When you enable encryption in transit, if an NFS file system is already mounted to the target directory on your ECS instance, such as /mnt, you must first unmount the NFS file system. Then, you can remount the NFS file system as described in this topic.

    To enable encryption in transit, add the -o tls parameter to the standard mount command. When you mount the file system, the CPFS client tool automatically writes the mount target mapping to the /etc/hosts file. The mapping is deleted when you unmount the file system.

    # Example: Mount with encryption in transit enabled
sudo mount -t cpfs-nfs -o tls,vers=3,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport file-system-id.region.cpfs.aliyuncs.com:/share/path /mnt

    • -o tls: Required. Enables encryption in transit.

    • vers=3: Uses the NFSv3 protocol for better compatibility.

    • rsize=1048576,wsize=1048576: Sets the read and write block size to 1 MB to optimize transmission performance.

    • hard: Uses hard mount mode to ensure data consistency.

    For more information about mount parameters, see Mount a file system using a CPFS-NFS client (Recommended).

    Step 3: Verify that encryption is enabled

    After the file system is mounted, check the Stunnel process and network connectivity to verify that encryption is enabled.

    1. Check the Stunnel process: Verify that the Stunnel proxy process is running.

      ps aux | grep stunnel

    2. Check the network connection: Verify that Stunnel has established an encrypted connection to the CPFS server side.

      netstat -anp | grep stunnel

      You should see that the stunnel process has established a connection with the CPFS server side on port 12049.

    After verification, all read and write operations on the mounted directory are performed through the encrypted tunnel.

    Quotas and limits

    • Server-side encryption limits

      • Configuration at creation: You must configure encryption when you create the file system. You cannot enable, disable, or change it after creation.

      • Algorithm limit: Only the AES-256 algorithm is supported. Other algorithms such as SM4 are not supported.

    • Encryption in transit limits

      • File system support: Only CPFS General-purpose Edition NFS file systems are supported.

      • Network port usage: The Stunnel process uses local port 12049 by default. Make sure this port is not occupied by other applications.

        You can run the ss -ant | grep -w 12049 command to check if the destination port is in use. If the command returns an empty result, the port is not in use. If the port is in use, you can change it by modifying the configuration file.

      • Local IP address usage: Each mount target with encryption in transit enabled occupies an IP address in the range of 127.0.1.1 to 127.0.255.254 in sequence. The IP address is released after unmounting. You can run cat /etc/hosts to view the current usage.

      • Mutually exclusive mount modes: You cannot mount the same file system mount target on the same client using both encrypted (TLS) and non-encrypted modes simultaneously. To switch modes, you must first unmount the existing mount target.

      • Supported operating systems: Only the following 64-bit operating system versions are supported.

        Operating system

        Operating system version

        Alibaba Cloud Linux

        • Alibaba Cloud Linux 3.2104 64-bit

        • Alibaba Cloud Linux 2.1903 64-bit

        CentOS

        • CentOS 8.x 64-bit

        • CentOS 7.x 64-bit

        Ubuntu

        • Ubuntu 20.04 64-bit

        • Ubuntu 18.04 64-bit

        • Ubuntu 16.04 64-bit

        Debian

        • Debian 10.x 64-bit

        • Debian 9.x 64-bit

        • Debian 8.x 64-bit

        SUSE

        • SUSE Linux Enterprise Server 15 64-bit

    Troubleshooting and logs

    Client logs related to encryption in transit are located in the /var/log/aliyun/alinas/ directory. You can adjust the log configuration by modifying the /etc/aliyun/alinas/alinas-utils.conf file:

    Parameter

    Description

    Default value

    logging_level

    The log level of the client tool.

    INFO

    logging_max_bytes

    The maximum size of a single log file.

    1048576 (1 MB)

    logging_file_count

    The maximum number of log files to retain.

    10

    stunnel_debug_enabled

    The switch for Stunnel debug logs. If enabled, more detailed TLS handshake information is output.

    false

    stunnel_check_cert_hostname

    Specifies whether to check the domain name of the server-side certificate. Set this to true in a production environment.

    false

    stunnel_check_cert_validity

    Specifies whether to check the validity period and issuer of the server-side certificate. Set this to true in a production environment.

    false

    After you modify the configuration, run the following command to restart the service:

    sudo service aliyun-alinas-mount-watchdog restart

    Use in production environments

    • Key management risks (server-side encryption)
      If you use a custom key, you must implement a strict key management process. If the key is disabled or deleted, you can no longer read or write data to the encrypted file system, and the data cannot be recovered. Enable the deletion protection feature for the key in KMS.

    • Certificate management (encryption in transit)

      The encryption in transit feature of the CPFS client relies on a third-party certificate that must be replaced periodically. CPFS sends a notification by email and internal message one month in advance. Follow the instructions in the notification and promptly update the CPFS client tool aliyun-alinas-utils to the latest version. If you do not update the client tool, the CPFS file system mounted with encryption in transit will stop responding after the certificate expires.

    FAQ

    Q: Can I access my data after the key for server-side encryption is disabled or deleted? 

    No, you cannot. If you use a custom key, you can no longer read or write data to the encrypted file system after the key is disabled or deleted. Proceed with caution.

    Q: If I enable server-side encryption of the at-rest encryption type for a file system, will the effective storage capacity be reduced?

    No, it will not. AES is a block cipher that uses an automatic padding mechanism. The data added by automatic padding for at-rest encryption is not counted toward the effective storage capacity of the file system.

    Q: Does server-side encryption support the SM4 algorithm?

    No, it does not. CPFS server-side encryption uses the industry-standard AES-256 encryption algorithm to protect data at rest in the file system. It also uses the envelope encryption mechanism to prevent unauthorized data access. Server-side encryption keys are generated and managed by KMS. KMS ensures the confidentiality, integrity, and availability of keys. For more information about encryption, see Use envelope encryption with KMS to encrypt and decrypt data locally.

    Q: I receive the error message "The mountpoint <mountpoint> is already mounted with tls/non-tls, mixing tls and non-tls is not supported in this version" when I mount a file system with encryption in transit. What should I do?

    Cause: The same mount target cannot be used for encrypted (TLS) and non-encrypted (non-TLS) mounts simultaneously. The client reports an error and terminates the mount operation when it detects a mixed mount operation.

    Solution: Run the umount command to unmount the current mount target. Then, choose either TLS or non-TLS mode and run the mount command again.

    Q: I receive the error message "Cannot mount with tls/non-tls now, please wait <sec> seconds for the unmount to complete" when I mount a file system with encryption in transit. What should I do?

    Cause: When you switch between encrypted and non-encrypted modes, the system requires a grace period to complete the unmount process before it can be remounted. This error occurs if the interval between switching is too short.

    Solution:

    1. Wait for the number of seconds specified in the error message, and then run the mount command again.

    2. You can also adjust the duration of the unmount grace period by configuring the unmount_grace_period_sec parameter. For more information about the configuration method, see CPFS client parameter configuration details.