Encrypting File Data with Amazon Elastic File System: Encryption of Data at Rest & in Transit
AWS Whitepaper

Encrypting File Data with Amazon Elastic File System: Encryption of Data at Rest & in Transit

Publication date: April 2018 (Document Details)

Abstract

In today’s world of cybercrime, hacking attacks, and the occasional security breach, securing data has become increasingly important to organizations. Government regulations and industry or company compliance policies may require data of different classifications to be secured by using proven encryption policies, cryptographic algorithms, and proper key management. This paper outlines best practices for encrypting shared file systems on AWS using Amazon Elastic File System (Amazon EFS).

Introduction

Amazon Elastic File System (Amazon EFS) provides simple, scalable, highly available, and highly durable shared file systems in the cloud. The file systems you create using Amazon EFS are elastic, allowing them to grow and shrink automatically as you add and remove data. They can grow to petabytes in size, distributing data across an unconstrained number of storage servers in multiple Availability Zones. Data stored in these file systems can be encrypted at rest and in transit using Amazon EFS. For encryption of data at rest, you can create encrypted file systems through the AWS Management Console or the AWS Command Line Interface (AWS CLI). Or you can create encrypted file systems programmatically through the Amazon EFS API or one of the AWS SDKs. Amazon EFS integrates with AWS Key Management Service (AWS KMS) for key management. You can also enable encryption of data in transit by mounting the file system and transferring all NFS traffic over an encrypted Transport Layer Security (TLS) tunnel.

This paper outlines best practices for encrypting shared file systems on AWS using Amazon EFS. It describes how to enable encryption of data in transit at the client connection layer, and how to create an encrypted file system in the AWS Management Console and in the AWS CLI. Using the APIs and SDKs to create an encrypted file system is outside the scope of this paper, but you can learn more about how this is done by reading Amazon EFS API in the Amazon EFS User Guide or the SDK documentation.

On this page: