Data encryption using Amazon KMS - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 File Gateway documentation has been moved to What is Amazon S3 File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Data encryption using Amazon KMS

Amazon FSx File Gateway supports SMB encryption up to the latest SMB v3.1.1 specification, including AES 128 CCM and AES 128 GCM. Compatible clients will connect using encryption automatically. Additionally, FSx File Gateway uses SMB encryption when it communicates with FSx for Windows File Server in Amazon. You must configure an Amazon Direct Connect link to Amazon, and set appropriate policies to allow SMB traffic and management traffic to pass through to Amazon.

Encrypting a file system

For information see, Data Encryption in Amazon FSx in the Amazon FSx for Windows File Server User Guide.

When using Amazon KMS to encrypt your data, keep the following in mind:

  • Your data is encrypted at rest in the cloud. That is, the data is encrypted in Amazon FSx.

  • IAM users must have the required permissions to call the Amazon KMS API operations. For more information, see Using IAM policies with Amazon KMS in the Amazon Key Management Service Developer Guide.

Important

When you use an Amazon KMS key for server-side encryption, you must choose a symmetric key. Storage Gateway does not support asymmetric keys. For more information, see Using symmetric and asymmetric keys in the Amazon Key Management Service Developer Guide.

For more information about Amazon KMS, see What is Amazon Key Management Service?