You can enable gateway-side encryption when you create a gateway. After gateway-side encryption is enabled, data is encrypted on the gateway side before it is uploaded from a cache disk to OSS. Only encrypted data that is uploaded to OSS is reversely synchronized to the local client. This topic describes how to enable gateway-side encryption.
Prerequisites
A file gateway is created and a cache disk is attached to it. For more information, see Create a file gateway and Attach a cache disk.
An OSS bucket is created. For more information, see Create buckets.
A regular customer master key (CMK) or an external CMK is created in the Key Management Service (KMS) console in the same region as the OSS bucket. For more information about how to create an external CMK, see Import key material.
Background information
Gateway-side encryption is a data protection method that automatically encrypts data when it flows to the gateway and before it is transferred from the local system or private network to a cloud storage service or an external network. Gateway-side encryption protects data from unauthorized access or interceptions during data transfers.
Usage notes
When you enable gateway-side encryption, take note of the following information:
Only users in the whitelist can use gateway-side encryption. If you are not in the whitelist and want to use this feature, submit a ticket.
Only Enhanced and Performance Optimized gateways support gateway-side encryption.
If gateway-side encryption is enabled for a share of the gateway, unencrypted data in the OSS bucket that is associated with the share is not synchronized back to the local system by the reverse synchronization feature.
Procedure
Gateway-side encryption can be enabled only when you create a share. You can enable gateway-side encryption when you create a share by using the following steps:
Log on to the CSG console.
In the upper-left corner of the page, select the region where the file gateway resides.
In the left-side navigation pane, click Gateways. On the page that appears, locate the file gateway and click the ID of the file gateway.
In the left-side navigation pane, click Share. On the Shares page, click Create.
In the Bucket Settings step, configure the parameters described in the Bucket settings parameter table and the additional parameters described in the following table, and click Next.
Parameter
Description
Encrypt
Select an encryption type. This example uses Gateway-side Encryption.
ID
The CMK ID that is used to encrypt data. Enter the key that you created in the KMS console.
Key Rotation
Select whether to enable key rotation. After you enable key rotation, the gateway periodically generates keys based on the CMK ID to encrypt data. This improves data security.
Key Rotation Period
This parameter is available only when you set the Key Rotation parameter to Yes. This parameter specifies the frequency to generate new keys. The rotation period is measured in seconds.
The rotation period ranges from 3,600 to 31,104,000 seconds (360 days).
In the Basic Information step, configure the parameters and click Next.
NoteFor more information about the parameters, see the Basic information parameter table.
In the Advanced Settings step, set the required parameters and click Next.
NoteFor more information about the parameters, see the Advanced settings parameter table.
In the Confirmation step, verify your settings and click OK.
After the share is created, you can click the + icon on the left side of the share name to verify that Encrypt is set to Gateway-side Encryption.