DocsICP FilingConsole
官方文档
首页

Data encryption

更新时间:
复制 MD 格式
我的收藏

CPFS General-purpose protects your data end-to-end with server-side encryption and encryption in transit.

  • Server-side encryption: Protects your data at rest and prevents data breaches caused by physical disk loss or theft.

  • Encryption in transit: Protects data traveling over a network from eavesdropping and tampering.

How it works

  • Server-side encryption

    This feature is implemented by using the industry-standard envelope encryption mechanism with Alibaba Cloud Key Management Service (KMS). The system generates a unique data encryption key (DEK) for each file system and uses the AES-256 algorithm to encrypt your data. The DEK itself is encrypted and protected by a customer master key (CMK) that you specify in KMS. This transparent process ensures data security and maintains high read/write performance through a DEK caching mechanism.

  • Encryption in transit

    This feature provides end-to-end secure data transmission based on the open-source software Stunnel. When you mount a file system, the CPFS client tool (aliyun-alinas-utils) starts a Stunnel proxy process on your ECS instance. This process encapsulates all NFS traffic within a Transport Layer Security (TLS) encrypted tunnel, effectively preventing eavesdropping and tampering over the network.

Encryption options

For scenarios requiring the highest level of security, we recommend enabling both server-side encryption and encryption in transit for end-to-end data protection.

Dimension

Server-side encryption

Encryption in transit

Key benefit

Protects data at rest and prevents data breaches from physical disk loss or theft.

Protects data in transit and prevents network eavesdropping.

Use cases

  • Meeting specific security and compliance audit requirements.

  • Protecting highly sensitive business data against physical security risks.

  • Transmitting data over the public internet or an untrusted network.

  • Meeting transport security requirements from compliance frameworks such as MLPS and GDPR.

Performance impact

A minor decrease in IOPS and throughput, with a slight increase in CPU overhead.

About a 10% performance impact (10% increase in access latency and 10% decrease in IOPS).

For throughput-intensive applications, the Stunnel process for each mount point might consume an entire CPU core in extreme cases. Therefore, reserve sufficient CPU resources based on your workload.

Cost

Free of charge

Management complexity

One-time configuration during creation.

If a customer-managed key is accidentally deleted, the data encrypted with it is permanently lost.

You must install and maintain the client and monitor certificate expiration.

If the client certificate expires, the file system stops responding.

Server-side encryption

Server-side encryption can only be configured when creating a file system. After creation, you cannot disable encryption or change the key. Enabling encryption has a minor impact on performance, which might slightly decrease IOPS and throughput.

Step 1: Choose key management method

Choose a key management method based on your security and compliance needs:

  • Managed key: CPFS creates and manages keys on your behalf, so you do not need to manage their lifecycle. You retain audit permissions. This method is free of charge, easy to manage, and suitable for general security scenarios.

  • Customer-managed key (via KMS): Use a key that you manage in KMS to encrypt the file system. You have full control over the key lifecycle, including creation, enabling, disabling, rotation, and deletion. This method is suitable for scenarios with strict compliance requirements or where you must control your own keys. Two key sources are supported:

    • KMS-created key: Create a customer master key (CMK) in the KMS console.

    • Bring Your Own Key (BYOK): Import an externally generated key into KMS for use.

    If you choose a customer-managed key, you must first create or import a customer master key (CMK) in the Key Management Service console.

Step 2: Create encrypted file system

  1. Log on to the CPFS console and navigate to the file system creation page.

  2. Set Encryption Type to Managed key or Customer-managed key (via KMS).

  3. If you select Customer-managed key (via KMS), select a key from the Key ID drop-down list.

    The first time you use this feature, the system guides you to create a service-linked role to authorize CPFS to access your KMS resources.

  4. Complete the other configuration parameters, and then create the file system.

Step 3: Verify encryption configuration

After the file system is created, check the status in the Encryption column of the file system list to confirm that encryption is enabled.

At this point, all data written to the file system is automatically encrypted.

Encryption in transit

Encryption in transit is enabled by adding a specific parameter when you mount a file system. This feature protects NFS traffic as it travels over the network.

Prerequisites

Step 1: Install CPFS-NFS client

  1. Log on to the ECS instance where you will mount the CPFS file system. For more information about how to connect to an ECS instance, see Connection methods.

  2. Download and install the CPFS-NFS client.

    Alibaba Cloud Linux

    1. Download the CPFS-NFS client.

      wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.al.noarch.rpm

    2. Install the CPFS-NFS client.

      sudo yum install aliyun-alinas-utils-*.rpm
    CentOS

    1. Download the CPFS-NFS client.

      wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.el.noarch.rpm

    2. Install the CPFS-NFS client.

      sudo yum install aliyun-alinas-utils-*.rpm
    Ubuntu

    1. Download the CPFS-NFS client.

      sudo wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.deb -O /tmp/aliyun-alinas-utils-latest.deb

    2. Install the CPFS-NFS client.

      sudo apt-get update
sudo apt-get install /tmp/aliyun-alinas-utils-latest.deb
    Debian

    1. Download the CPFS-NFS client.

      sudo wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.deb -O /tmp/aliyun-alinas-utils-latest.deb

    2. Install the CPFS-NFS client.

      sudo apt-get update
sudo apt-get install /tmp/aliyun-alinas-utils-latest.deb
    SUSE

    1. Download the CPFS-NFS client.

      wget https://cpfs-hangzhou-nfs-client.oss-cn-hangzhou.aliyuncs.com/aliyun-alinas-utils-latest.lp15.x86_64.rpm

    2. Install the CPFS-NFS client.

      sudo zypper --no-gpg-checks install -y aliyun-alinas-utils-*.rpm

  3. Verify the installation.

    which mount.cpfs-nfs

    A successful installation returns the following output:

    /usr/sbin/mount.cpfs-nfs

Step 2: Mount with encryption in transit

When you enable encryption in transit, if an NFS file system is already mounted to the target directory (for example, /mnt) on your ECS instance, you must first unmount the NFS file system before you remount it based on the instructions in this topic.

To enable encryption in transit, add the -o tls parameter to the standard mount command. When you mount the file system, the CPFS client tool automatically writes the mount point mapping to the /etc/hosts file and removes the mapping when you unmount the file system.

# Example: Mount with encryption in transit enabled.
sudo mount -t cpfs-nfs -o tls,vers=3,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport file-system-id.region.cpfs.aliyuncs.com:/share/path /mnt

  • -o tls: Required. Enables encryption in transit.

  • vers=3: Specifies the NFSv3 protocol for better compatibility.

  • rsize=1048576,wsize=1048576: Sets the read and write block size to 1 MB to optimize transfer performance.

  • hard: Specifies a hard mount to ensure data consistency.

For more information about mount parameters, see Mount a file system by using a CPFS-NFS client (Recommended).

Step 3: Verify encryption

After the file system is mounted, you can verify that encryption is enabled by checking the Stunnel process and network connections.

  1. Check the Stunnel process: Confirm that the Stunnel proxy process is running.

    ps aux | grep stunnel

  2. Check the network connection: Confirm that Stunnel has established an encrypted connection to the CPFS server.

    netstat -anp | grep stunnel

    You can see that the stunnel process has established a connection to port 12049 on the CPFS server.

After verification, all read and write operations on the mounted directory are transmitted through the encrypted tunnel.

Limitations

  • Server-side encryption limitations

    • Configured at creation: Server-side encryption must be configured when you create a file system and cannot be modified after creation.

    • Algorithm limitation: Only the AES-256 algorithm is supported. Other algorithms, such as SM4, are not supported.

  • Encryption in transit limitations

    • Supported file systems: Only general-purpose CPFS file systems that use the NFS protocol are supported.

    • Port usage: By default, the Stunnel process requires local port 12049. Make sure that this port is not occupied by other services.

      You can run the ss -ant | grep -w 12049 command to check whether the port is occupied. If the command returns an empty result, the port is not occupied. If the port is occupied, you can change the port by modifying the configuration file.

    • Local IP address usage: Each mount point with encryption in transit enabled sequentially occupies an IP address from the range of 127.0.1.1 to 127.0.255.254. The IP address is released when the file system is unmounted. You can run the cat /etc/hosts command to view the current usage.

    • Mutually exclusive mount modes: You cannot use both encrypted (TLS) and non-encrypted modes to mount the same file system to the same mount point. To switch modes, you must first unmount the existing mount point.

    • Supported operating systems: Only the following 64-bit operating system versions are supported.

      Operating system type

      Operating system version

      Alibaba Cloud Linux

      • Alibaba Cloud Linux 3.2104 64-bit

      • Alibaba Cloud Linux 2.1903 64-bit

      CentOS

      • CentOS 8.x 64-bit

      • CentOS 7.x 64-bit

      Ubuntu

      • Ubuntu 20.04 64-bit

      • Ubuntu 18.04 64-bit

      • Ubuntu 16.04 64-bit

      Debian

      • Debian 10.x 64-bit

      • Debian 9.x 64-bit

      • Debian 8.x 64-bit

      SUSE

      • SUSE Linux Enterprise Server 15 64-bit

Troubleshooting and logging

Client logs related to encryption in transit are located in the /var/log/aliyun/alinas/ directory. You can adjust the logging configuration by modifying the /etc/aliyun/alinas/alinas-utils.conf file:

Parameter

Description

Default

logging_level

The logging level for the client tool.

INFO

logging_max_bytes

The maximum size of a single log file.

1048576 (1 MB)

logging_file_count

The maximum number of log files to retain.

10

stunnel_debug_enabled

Enables or disables Stunnel debug logging. When enabled, more detailed TLS handshake information is output.

false

stunnel_check_cert_hostname

Specifies whether to check the domain name of the server certificate. We recommend that you set this to true in a production environment.

false

stunnel_check_cert_validity

Specifies whether to check the validity period and issuer of the server certificate. We recommend that you set this parameter to true in a production environment.

false

After you modify the configuration, run the following command to restart the service:

sudo service aliyun-alinas-mount-watchdog restart

Production considerations

  • Key management risks (server-side encryption)
    If you use a customer-managed key, you must establish a strict key management process. If a key is disabled or deleted, the encrypted file system becomes inaccessible and the data is rendered unrecoverable. We recommend enabling the deletion protection feature for your keys in KMS.



  • Certificate management (encryption in transit)

    The encryption in transit feature of the CPFS client relies on third-party certificates that must be rotated periodically. CPFS notifies you by email and internal message one month in advance. Promptly update the aliyun-alinas-utils client tool. Failure to update the client will cause file systems mounted with encryption in transit to stop responding after the certificate expires.

FAQ

Q: Data access when encryption key is disabled or deleted?

A: No. If you use a customer-managed key, the encrypted file system becomes completely inaccessible for both read and write operations if the key is disabled or deleted. Exercise caution when managing keys.

Q: Does server-side encryption reduce storage capacity?

A: No. AES is a block cipher with an automatic padding mechanism. This padding data does not count toward your file system's storage capacity.

Q: Does server-side encryption support SM4 algorithm?

A: No. CPFS server-side encryption uses the industry-standard AES-256 algorithm to protect data at rest and employs envelope encryption to prevent unauthorized data access. The server-side encryption keys are generated and managed by using KMS. KMS ensures the confidentiality, integrity, and availability of your keys. For more information about encryption, see Use envelope encryption with KMS to encrypt and decrypt data locally.

Q: What does this mount error mean: The mountpoint <mountpoint> is already mounted with tls/non-tls, mixing tls and non-tls is not supported in this version?

A: Cause: A mount point cannot simultaneously support encrypted (TLS) and non-encrypted (non-TLS) modes. The client detects this mixed-mount attempt, reports an error, and terminates the operation.

Solution: Use the umount command to unmount the current mount point, choose either TLS or non-TLS mode, and then run the mount command again.

Q: What does this mount error mean: Cannot mount with tls/non-tls now, please wait <sec> seconds for the unmount to complete?

A: Cause: When switching between encrypted and non-encrypted modes, the system requires a brief grace period after unmounting before you can remount. This error occurs if you attempt to remount too quickly during this period.

Solution:

  1. Wait for the number of seconds specified in the error message, and then run the mount command again.

  2. You can also adjust the duration of the unmount grace period by configuring the unmount_grace_period_sec parameter. For more information about the configuration, see CPFS client parameter configuration details.

Previous:Service-linked roles for CPFSNext:Monitoring and logging