Menu
Amazon Elastic File System
User Guide

Encrypting Data and Metadata at Rest

If you create an encrypted file system, data and metadata is encrypted at rest. You choose whether to enable encryption for a file system at file system creation time. You can't change the encryption settings of a file system once the file system has been created. If you want to encrypt the data and metadata in an existing Amazon EFS file system, create a new encrypted file system and copy the data from the existing file system onto the new one.

Like unencrypted file systems, encrypted file systems can be created through the AWS Management Console, the AWS CLI, or programmatically through the Amazon EFS API or one of the AWS SDKs.

Note

The AWS key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms. The infrastructure is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations.

When to Use Encryption

If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, we recommend creating an encrypted file system.

Encrypting a File System Using the Console

You can choose to enable encryption for a file system when you create it. The following procedure describes how to enable encryption for a new file system when you create it from the console.

To encrypt a new file system on the console

  1. Open a web browser and navigate to the AWS Management Console for Amazon EFS.

  2. Choose Create file system to open the file system creation wizard.

  3. For Step 1: Configure file system access, choose your VPC, create your mount targets, and then choose Next Step.

  4. For Step 2: Configure optional settings, add any tags, choose your performance mode, check the box to encrypt your file system, and then choose Next Step.

  5. For Step 3: Review and create, review your settings and choose Create File System.

You've now created a new encrypted file system.

How Encryption Works with Amazon EFS

In an encrypted file system, data and metadata are automatically encrypted before being written to the file system. Similarly, as data and metadata are read, they are automatically decrypted before being presented to the application. These processes are handled transparently by Amazon EFS, so you don’t have to modify your applications.

Amazon EFS uses an industry-standard AES-256 encryption algorithm to encrypt EFS data and metadata. For more information, see Cryptography Basics in the AWS Key Management Service Developer Guide.

How Amazon EFS Uses AWS KMS

Amazon EFS integrates with AWS Key Management Service (AWS KMS) for key management. Amazon EFS uses customer master keys (CMKs) to encrypt your file system in the following way:

  • Encrypting metadata – An EFS-managed key is used to encrypt and decrypt file system metadata (that is, file names, directory names, and directory contents).

  • Encrypting file data – You choose the CMK used to encrypt and decrypt file data (that is, the contents of your files). You can enable, disable, or revoke grants on this CMK. This CMK can be one of the two following types:

    • AWS-managed CMK – This is the default CMK, and it's free to use.

    • Customer-managed CMK – This is the most flexible master key to use, because you can configure its key policies and grants for multiple users or services. For more information on creating CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

      If you use a customer-managed CMK as your master key for file data encryption and decryption, you can enable key rotation. When you enable key rotation, AWS KMS automatically rotates your key once per year. Additionally, with a customer-managed CMK, you can choose when to disable, re-enable, delete, or revoke access to your CMK at any time. For more information, see Disabling, Deleting, or Revoking Access to the CMK for a File System.

Data encryption and decryption are handled transparently. However, AWS account IDs specific to Amazon EFS will appear in your AWS CloudTrail logs related to AWS KMS actions. For more information, see Amazon EFS Log File Entries for Encrypted File Systems.

Amazon EFS Key Policies for AWS KMS

Key policies are the primary way to control access to CMKs. For more information on key policies, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide. The following list describes all the AWS KMS-related permissions required by Amazon EFS for encrypted file systems:

  • kms:Decrypt – Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted.

  • kms:GenerateDataKeyWithoutPlaintext – Returns a data encryption key encrypted under a CMK.

  • kms:CreateGrant – Adds a grant to a key to specify who can use the key and under what conditions. Grants are alternate permission mechanisms to key policies. For more information on grants, see Using Grants in the AWS Key Management Service Developer Guide.

  • kms:DescribeKey – Provides detailed information about the specified customer master key.

  • kms:ListAliases – Lists all of the key aliases in the account. We recommend this approach for using the console to create encrypted file systems.

Related Topics

For more information on encryption with Amazon EFS, see these related topics: