Data encryption using Amazon KMS
Storage Gateway uses SSL/TLS (Secure Socket Layers/Transport Layer Security) to encrypt data that is transferred between your gateway appliance and Amazon storage. By default, Storage Gateway uses Amazon S3-Managed encryption keys (SSE-S3) to server-side encrypt all data it stores in Amazon S3. You have an option to use the Storage Gateway API to configure your gateway to encrypt data stored in the cloud using server-side encryption with Amazon Key Management Service (SSE-KMS) keys.
Encrypting a file share
You can configure the file shares on your S3 File Gateway to encrypt stored objects with Amazon KMS–managed keys by using SSE-KMS or DSSE-KMS. For information about supported file share encryption methods, see Encrypt objects stored by File Gateway in Amazon S3.
When using Amazon KMS to encrypt your data, keep the following in mind:
-
Your data is encrypted at rest in the cloud. That is, the data is encrypted in Amazon S3.
-
IAM users must have the required permissions to call the Amazon KMS API operations. For more information, see Using IAM policies with Amazon KMS in the Amazon Key Management Service Developer Guide.
Important
When you use an Amazon KMS key for server-side encryption, you must choose a symmetric key. Storage Gateway does not support asymmetric keys. For more information, see Using symmetric and asymmetric keys in the Amazon Key Management Service Developer Guide.
For more information about Amazon KMS, see What is Amazon Key Management Service?