Apsara File Storage NAS supports server-side encryption. NAS encrypts data that is stored in file systems. When you access data, NAS decrypts and sends you the required data. This topic describes how to implement server-side encryption.


  • You can enable the data encryption feature only when you create a file system.
  • You cannot disable the data encryption feature that is enabled for a file system.

Encryption methods

If you require a high level of security or compliance, we recommend that you enable the server-side encryption feature. Server-side encryption uses the industry-standard AES-256 algorithm to encrypt data in the NAS file system. These keys are used to encrypt data in file systems. To prevent against unauthorized data access, server-side encryption uses envelope encryption. The keys of server-side encryption are generated and managed by Key Management Service (KMS). KMS allows you to ensure the confidentiality, integrity, and availability of keys.

NAS supports the following two scenario-specific server-side encryption methods.
Note You can use keys that are hosted by NAS free of charge. A limited number of fees are incurred for the usage of KMS keys when you use custom keys. For more information, see KMS pricing.
  • NAS-managed key

    You can use NAS-managed key to encrypt each file system. NAS creates and manages keys in the KMS console. You can view a key and modify the permissions of the key. However, you cannot delete or disable the key.

  • User-managed key
    You can use User-managed key that are hosted by KMS to encrypt and decrypt file systems. If a key is disabled or deleted, the file system that is encrypted by the key cannot be accessed. User-managed key are generated by using the following two methods:
    • Use KMS to create: You can create customer master keys (CMKs) in the KMS console. Then, you can configure and manage these CMKs. The management includes enabling, disabling, deleting, and rotating CMKs.
    • Bring your own key (BYOK): To meet some specified requirements for security, you can import BYOK keys that are generated by on-premises services or cloud services to KMS. These keys are used as CMKs. For more information, see Import key material.


Log on to the NAS console. Click Create File System and select General Purpose NAS or Extreme(Pay-as-you-go). On the buy page, select NAS-managed key or User-managed key(KMS) in the Encryption Type field based on your business requirements. For more information, see Create a General-purpose NAS file system in the NAS console and Create an Extreme NAS file system in the NAS console..

Regional availability

  • NAS-managed key encryption: General-purpose NAS and Extreme NAS in all regions.
  • User-managed key encryption: Extreme NAS in all regions , General-purpose NAS in the US(Silicon Valley), US(Virginia), UK(London) and Australia(Sydney) regions.