# Change the server-side encryption method for an existing file share The following procedure describes how to change the server-side encryption method for an existing NFS or SMB file share using the Storage Gateway console. To perform this action using the Storage Gateway API, see see [UpdateNFSFileShare](https://docs.amazonaws.cn/storagegateway/latest/APIReference/API_UpdateNFSFileShare.html) or [UpdateSMBFileShare](https://docs.amazonaws.cn/storagegateway/latest/APIReference/API_UpdateSMBFileShare.html) in the *Amazon Storage Gateway API Reference*. **Note** Updating the encryption method applies the new method to existing objects stored in the Amazon S3 buckets after the update. If you configure your File Gateway to use SSE-KMS for encryption, you must manually add `kms:Encrypt`, `kms:Decrypt`, `kms:ReEncrypt*`, `kms:GenerateDataKey`, and `kms:DescribeKey` permissions to the IAM role associated with the file share. For more information, see [Using Identity-Based Policies (IAM Policies) for Storage Gateway](https://docs.amazonaws.cn/filegateway/latest/files3/using-identity-based-policies.html). **To change the server-side encryption method for an NFS or SMB file share** 1. Open the Storage Gateway console at [https://console.amazonaws.cn/storagegateway/home](https://console.amazonaws.cn/storagegateway/). 1. Choose **File shares**, and then choose the file share for which you want to change the encryption method. 1. For **Actions**, choose **Edit file share encryption**. 1. For **Encryption**, choose the type of encryption you want to use for files at rest in Amazon S3: + To use server-side encryption managed with Amazon S3 (SSE-S3), choose **S3-Managed Keys (SSE-S3)**. For more information, see [Using server-side encryption with Amazon S3 managed keys](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingServerSideEncryption.html) in the *Amazon Simple Storage Service User Guide*. + To use server-side encryption managed with Amazon Key Management Service (SSE-KMS), choose **KMS-Managed Keys (SSE-KMS)**. For **Primary KMS key**, choose an existing Amazon KMS key, or choose **Create a new KMS key** to create a new KMS key in the Amazon Key Management Service (Amazon KMS) console. For more information about Amazon KMS, see [What is Amazon Key Management Service?](https://docs.amazonaws.cn/kms/latest/developerguide/overview.html) in the *Amazon Key Management Service Developer Guide*. + To use dual-layer server-side encryption managed with Amazon Key Management Service (DSSE-KMS), choose **Dual-layer server-side encryption with Amazon Key Management Service keys (DSSE-KMS)**. For **Primary KMS key**, choose an existing Amazon KMS key, or choose **Create a new KMS key** to create a new KMS key in the Amazon Key Management Service (Amazon KMS) console. For more information about DSSE-KMS, see [Using dual-layer server-side encryption with Amazon KMS keys](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingDSSEncryption.html) in the *Amazon Simple Storage Service User Guide*. **Note** There are additional charges for using DSSE-KMS and Amazon KMS keys. For more information, see [Amazon KMS pricing](https://aws.amazon.com/kms/pricing/). To specify an Amazon KMS key with an alias that is not listed or to use an Amazon KMS key from a different Amazon account, you must use the Amazon Command Line Interface. Asymmetric KMS keys are not supported. For more information, see [CreateSMBFileShare](https://docs.amazonaws.cn/storagegateway/latest/APIReference/API_CreateSMBFileShare.html) in the *Amazon Storage Gateway API Reference*. 1. Choose **Save changes** when finished.