Apsara File Storage NAS supports server-side encryption. NAS encrypts data that is stored in file systems. When you access data, NAS decrypts and sends you the required data. This topic describes how to implement server-side encryption.


  • You can enable the data encryption feature only when you create a file system.
  • You cannot disable the data encryption feature that is enabled for a file system.

Encryption methods

If you require a high level of security or compliance, we recommend that you enable the server-side encryption feature. Server-side encryption uses the industry-standard AES-256 algorithm to generates keys. These keys are used to protect static data in file systems. To prevent against unauthorized data access, server-side encryption uses envelope encryption. The keys of server-side encryption are generated and managed by Key Management Service (KMS). KMS allows you to ensure the confidentiality, integrity, and availability of keys.

NAS supports the following two scenario-specific server-side encryption methods.
Note You can use keys that are hosted by NAS free of charge. A limited number of fees are incurred for the usage of KMS keys when you use custom keys. For more information, see KMS pricing.
  • NAS-managed keys

    You can use NAS-managed keys to encrypt each file system. NAS creates and manages keys in the KMS console. You can view a key and modify the permissions of the key. However, you cannot delete or disable the key.

  • Custom keys
    You can use custom keys that are hosted by KMS to encrypt and decrypt file systems. If a key is disabled or deleted, the file system that is encrypted by the key cannot be accessed. Custom keys are generated by using the following two methods:
    • Use KMS to create: You can create customer master keys (CMKs) in the KMS console. Then, you can configure and manage these CMKs. The management includes enabling, disabling, deleting, and rotating CMKs.
    • Bring your own key (BYOK): To meet some specified requirements for security, you can import BYOK keys that are generated by on-premises services or cloud services to KMS. These keys are used as CMKs. For more information, see Import key material.


Log on to the NAS console. On the buy page, select NAS-managed Key or Custom Key (KMS) in the Data Encryption field based on your business requirements. For more information, see Create a General-purpose NAS file system in the NAS console and Create an Extreme NAS file system in the NAS console..

Supported regions

  • NAS-managed key encryption
    • General-purpose NAS file systems: all regions.
    • Extreme NAS file systems: all regions.
  • Custom key encryption
    • General-purpose NAS file systems:
      • US (Silicon Valley)
      • US (Virginia)
      • UK (London)
      • Australia (Sydney)
      • Germany (Frankfurt)
      • India (Mumbai)
      • Singapore (Singapore)
    • Extreme NAS file systems: all regions.