SFS provides you with the encryption function. You can encrypt you data on the newly created file systems if needed.
Keys for encrypting file systems are provided by KMS, which is secure and convenient. You do not need to establish and maintain key management infrastructure. If you want to use your own key material, you can use the key import function on KMS Console to create a CMK whose key material is empty, and import the key material to the CMK. For details, see "Importing a Key" in the Key Management Service User Guide.
The keys provided by KMS include a Default Master Key and Customer Master Keys (CMKs).
The Default Master Key cannot be disabled and does not support scheduled deletion.
If the user master key used by the encrypted file system is disabled or planned to be deleted, the file system can only be used within a certain period of time (60s by default). Perform this operation with caution.
For a tenant, as long as the KMS access rights have been granted to SFS, all the users in the same region can directly use the encryption function.
If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.