Help Center> Data Encryption Workshop> Best Practices> Using KMS to Encrypt and Decrypt Data for Cloud Services> Encrypting Data in SFS
View PDF

Encrypting Data in SFS

Overview

Scalable File Service (SFS) provides you with the encryption function. You can encrypt you data on the newly created file systems if needed.

Keys used by encrypted EVS disks are provided by KMS, saving your effort on building and maintaining key management infrastructure. To use your own key material, you can use the key import function on the KMS console to create a CMK whose key material is empty, and import your key material to the CMK. For details, see Importing Key Materials.

To use the file system encryption function, you need to authorize SFS to access KMS when creating an SFS file system. An SFS Turbo file system does not need authorization.

Who Has the Rights to Encrypt File Systems?

  • Security administrators (users having Security Administrator rights) can grant the KMS access rights to SFS for using disk encryption.
  • A common user who does not have the Security Administrator rights needs to contact the system administrator to grant them.

As long as the KMS access rights have been granted to SFS in a region, all users in the same region can directly use the disk encryption feature.

If there are multiple projects in the current region, the KMS access rights need to be granted to each project in this region.

File System Encryption Keys

The keys provided by KMS for SFS encrypted file systems include a Default Master Key and CMKs.

  • Default Master Key: A key that is automatically created and named sfs/default.

    The Default Master Key cannot be disabled and does not support scheduled deletion.

  • An existing or new CMK. For details about how to create one, see Creating a CMK.

    If the CMK used by the encrypted file system is disabled or scheduled for deletion, the file system can only be used within a certain period of time (60s by default). Perform this operation with caution.

The SFS Turbo file system does not have a Default Master Key. You can use an existing key or create one. For details, see Creating a CMK.

Using KMS to Encrypt a File System (on the Console)

When creating a file system using SFS, you can select Enable static data encryption. KMS will provide you with a key to encrypt the file system.

  1. On the SFS management console, click Create File System.
  2. Enable static encryption in the Encryption area.

    1. Create an agency.

      Select Enable static data encryption. If SFS is not authorized to access KMS, the Create Agency dialog box is displayed. In this case, click Yes to authorize it. After the authorization, SFS can obtain KMS keys to encrypt and decrypt disks.

      Before you use the encryption function, the KMS access rights must be granted to SFS. If you have the right for granting, grant the KMS access rights to SFS directly. If you do not have the right, contact a user with the Security Administrator rights to grant the KMS access rights to SFS, then repeat the preceding operations.

    2. Set encryption parameters.
      Select Encrypt. If the authorization succeeded, the Encryption Setting dialog box is displayed.
      Figure 1 Encryption settings

      Select a key from the KMS key name drop-down list. You can select from the following keys:

      • Default Master Key. After the KMS access rights have been granted to SFS, the system automatically creates a Default Master Key named sfs/default.
      • An existing or new CMK. For details about how to create one, see Creating a CMK.

  3. Configure other parameters for the disk. For details about the parameters, see Create a File System.

Using KMS to Encrypt File Systems (Through an API)

You can call the required API of SFS to create an encrypted file system. For details, see Scalable File Service API Reference.