All Products
Search
Document Center

Apsara File Storage NAS:Data security

Last Updated:Jun 12, 2024

Apsara File Storage NAS (NAS) provides server-side encryption and client-side encryption to protect data from potential security risks in the cloud. NAS also supports the data backup and recycle bin features to prevent data loss.

Data encryption

NAS provides server-side encryption and client-side encryption to protect data from potential security risks in the cloud.

Encryption in transit

NAS provides the encryption in transit feature based on the Transport Layer Security (TLS) protocol. After encryption in transit is enabled, communications between the NAS client and the NAS server is encrypted by using TLS.

For more information about how to enable encryption in transit, see Encryption in transit for NFS file systems or Encryption in transit for SMB file systems.

Server-side encryption

NAS supports the following encryption mechanisms:

  • NAS-managed key encryption

    You can use NAS-managed keys to encrypt file systems. NAS creates and manages keys in the Key Management Service (KMS) console. You can view a key and modify the permissions of the key. However, you cannot delete or disable the key.

  • Custom key encryption

    You can use custom keys that are hosted by KMS to encrypt and decrypt file systems. If a key is disabled or deleted, the file system that is encrypted by the key cannot be accessed. Custom keys are generated by using the following two methods:

    • Use KMS to create: You can create customer master keys (CMKs) in the KMS console. Then, you can configure and manage these CMKs. You can enable, disable, delete, and rotate CMKs.

    • Bring your own key (BYOK): To meet specific requirements for security, you can import BYOK keys that are generated by on-premises services or cloud services to KMS. These keys are used as CMKs. For more information, see Import key material.

For more information, see Create a General-purpose NAS file system in the NAS console and Create an Extreme NAS file system in the NAS console.

Data backup

NAS uses Cloud Backup to ensure data security. The data backup feature is suitable for the following scenarios: disaster recovery, restoration upon accidental deletion or malicious tampering, data versioning, legal compliance, and data migration. For more information, see Back up and restore files.

Note

Cloud Backup is a fully-managed online backup service that allows you to back up data to the cloud in a convenient, efficient, and secure manner. You can use Cloud Backup to back up data from Elastic Compute Service (ECS) instances, ECS-hosted databases, ECS files, NAS file systems, Object Storage Service (OSS) buckets, and Tablestore instances. You can also use Cloud Backup to back up data from self-managed data centers that store files, databases, virtual machines (VMs), and large-scale NAS file systems. Cloud Backup allows you to implement disaster recovery and archive data based on the archive policies that you configure for the preceding resources. For more information, see What is Cloud Backup?

To prevent operations such as accidental deletion and malicious tampering from affecting the availability of important data, you can use the recycle bin feature or snapshot feature of NAS to back up files and directories in NAS file systems and restore lost or damaged data at the earliest opportunity. For more information, see Recycle bin and Manage snapshots.

Recycle bin

The recycle bin feature protects data from being deleted accidentally at a low cost and prevents data loss caused by logic errors such as software errors and manual misoperations. For more information, see Recycle bin.

Data erasure mechanism

The data erasure mechanism ensures that the data deleted by a user is not accessed by other users by any means. The following mechanism ensures that deleted data is completely erased:

  • The data in NAS file systems of different users is completely isolated. The data in each NAS file system is managed, indexed, and verified based on the metadata. Reading data across different NAS file systems is not allowed.

  • If a file is deleted from a NAS file system, the metadata index is updated immediately. This ensures that the corresponding physical space cannot be indexed and the data can no longer be read. When the physical storage space is reallocated, it is cleared and then added to the metadata index. The system returns only zero for requests that attempt to read data from the storage space for the first time.

  • When a NAS file system is released, the storage system immediately destroys the metadata to ensure that the data is no longer accessible. At the same time, the physical storage space that corresponds to the NAS file system is recycled. When the physical storage space is reallocated, data is cleared again and then overwritten by newly written data. Before data is written to the physical storage space, the system returns only zero for all read requests.