• Scalable File Service

sfs
  1. Help Center
  2. Scalable File Service
  3. User Guide
  4. Introduction
  5. File System Encryption

File System Encryption

SFS provides you with the encryption function. You can encrypt you data on the newly created file systems if needed.

Keys for encrypting file systems are provided by KMS, which is secure and convenient. You do not need to establish and maintain key management infrastructure. If you want to use your own key material, you can use the key import function on KMS Console to create a CMK whose key material is empty, and import the key material to the CMK. For details, see "Importing a Key" in the Key Management Service User Guide.

Encryption Key

The keys provided by KMS include a Default Master Key and Customer Master Keys (CMKs).

  • Default Master Key: SFS automatically creates a Default Master Key and names it sfs/default.

    The Default Master Key cannot be disabled and does not support scheduled deletion.

  • CMKs: Existing or newly created CMKs. For details, see "Creating a CMK" in the Key Management Service User Guide.

    If the user master key used by the encrypted file system is disabled or planned to be deleted, the file system can only be used within a certain period of time (60s by default). Perform this operation with caution.

Who Has the Rights to Encrypt File Systems?

  • The security administrator (having the "Security Administrator" rights) can grant the KMS access rights for encryption.
  • A common user (without the "Security Administrator" rights) needs to contact the system administrator to obtain the "Security Administrator" rights.

For a tenant, as long as the KMS access rights have been granted to SFS, all the users in the same region can directly use the encryption function.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.