Encrypting data in transit

Enabling encryption of data in transit for your Amazon EFS file system is done by enabling Transport Layer Security (TLS) when you mount your file system using the Amazon EFS mount helper. For more information, see Using the EFS mount helper to mount EFS file systems.

When encryption of data in transit is declared as a mount option for your Amazon EFS file system, the mount helper initializes a client stunnel process. Stunnel is an open source multipurpose network relay. The client stunnel process listens on a local port for inbound traffic, and the mount helper redirects Network File System (NFS) client traffic to this local port. The mount helper uses TLS version 1.2 to communicate with your file system.

To mount your Amazon EFS file system with the mount helper with encryption of data in transit enabled

Access the terminal for your instance through Secure Shell (SSH), and log in with the appropriate user name. For more information on how to do this, see Connecting to Your Linux Instance Using SSH in the Amazon EC2 User Guide for Linux Instances.
Run the following command to mount your file system.
```
sudo mount -t efs  -o tls fs-12345678:/ /mnt/efs
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encrypting data at rest

Identity and access management