Change the server-side encryption method for an existing file share - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Change the server-side encryption method for an existing file share

The following procedure describes how to change the server-side encryption method for an existing NFS or SMB file share using the Storage Gateway console. To perform this action using the Storage Gateway API, see see UpdateNFSFileShare or UpdateSMBFileShare in the Amazon Storage Gateway API Reference.

Note

Updating the encryption method applies the new method to existing objects stored in the Amazon S3 buckets after the update.

If you configure your File Gateway to use SSE-KMS for encryption, you must manually add kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey, and kms:DescribeKey permissions to the IAM role associated with the file share. For more information, see Using Identity-Based Policies (IAM Policies) for Storage Gateway.

To change the server-side encryption method for an NFS or SMB file share

  1. Open the Storage Gateway console at https://console.amazonaws.cn/storagegateway/home.

  2. Choose File shares, and then choose the file share for which you want to change the encryption method.

  3. For Actions, choose Edit file share encryption.

  4. For Encryption, choose the type of encryption you want to use for files at rest in Amazon S3:

    • To use server-side encryption managed with Amazon S3 (SSE-S3), choose S3-Managed Keys (SSE-S3). For more information, see Using server-side encryption with Amazon S3 managed keys in the Amazon Simple Storage Service User Guide.

    • To use server-side encryption managed with Amazon Key Management Service (SSE-KMS), choose KMS-Managed Keys (SSE-KMS). For Primary KMS key, choose an existing Amazon KMS key, or choose Create a new KMS key to create a new KMS key in the Amazon Key Management Service (Amazon KMS) console.

      For more information about Amazon KMS, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

    • To use dual-layer server-side encryption managed with Amazon Key Management Service (DSSE-KMS), choose Dual-layer server-side encryption with Amazon Key Management Service keys (DSSE-KMS). For Primary KMS key, choose an existing Amazon KMS key, or choose Create a new KMS key to create a new KMS key in the Amazon Key Management Service (Amazon KMS) console.

      For more information about DSSE-KMS, see Using dual-layer server-side encryption with Amazon KMS keys in the Amazon Simple Storage Service User Guide.

      Note

      There are additional charges for using DSSE-KMS and Amazon KMS keys. For more information, see Amazon KMS pricing.

      To specify an Amazon KMS key with an alias that is not listed or to use an Amazon KMS key from a different Amazon account, you must use the Amazon Command Line Interface. Asymmetric KMS keys are not supported. For more information, see CreateSMBFileShare in the Amazon Storage Gateway API Reference.

  5. Choose Save changes when finished.