Both General-purpose NAS and Extreme NAS support server-side encryption. If your data has high security or compliance requirements, enable this feature. When enabled, NAS encrypts data when written to your file system and transparently decrypts it when accessed. This topic describes how server-side encryption works, the supported regions, and related operations.
Limitations
-
You can enable encryption only when you create a file system.
-
You cannot disable encryption for a file system after the feature is enabled.
Encryption options
NAS uses the industry-standard AES-256 algorithm to perform server-side encryption and protect your data at rest. This feature uses an envelope encryption mechanism to prevent unauthorized access. Key Management Service (KMS) generates and manages the encryption keys. KMS ensures the confidentiality, integrity, and availability of your keys. For more information, see Use envelope encryption to encrypt and decrypt data locally.
NAS provides the following two server-side encryption options for different use cases.
Using a NAS-managed key is free of charge. Using a customer-managed key incurs minor fees for KMS key usage. For more information, see KMS 1.0 billing.
-
NAS-managed key
With this option, each file system is encrypted with a key that NAS fully manages on your behalf. NAS creates and manages this key in Key Management Service (KMS). You can view the key and audit its usage, but you cannot delete or disable it.
-
customer-managed key
This option gives you full control over the encryption key. You use a customer-managed key in KMS to encrypt and decrypt your file system. If you disable or delete this key, the file system it encrypts becomes inaccessible. You can obtain a customer-managed key in one of the following two ways:
-
Create a key in KMS: You can create a customer master key (CMK) directly in KMS. This lets you manage the key's lifecycle, including enabling, disabling, deleting, and performing key rotation.
-
Use bring your own key (BYOK): To meet specific security and compliance requirements, you can import a key from your on-premises environment or another source into KMS to use as a CMK. For more information, see Import key material.
-
Procedure
When you create a file system in the NAS console, set the Encryption Type parameter to NAS-managed Key or customer-managed key depending on your use case. For detailed instructions, see Create a General-purpose NAS file system and Create an Extreme NAS file system.
Supported regions
-
General-purpose NAS: Available in all regions.
-
Extreme NAS: Available in all regions except China East 1 Finance.
FAQ
Related topics
General-purpose NAS also supports encryption in transit to protect your data as it moves between your clients and the file system. You can enable this feature when you mount a file system to prevent interception or alteration during transmission. For more information, see Encryption in transit for NFS file systems or Encryption in transit for SMB file systems.