Managing encryption in transit - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing encryption in transit

You can use a set of custom PowerShell commands to control the encryption of your data in transit between your FSx for Windows File Server file system and clients. You can limit file system access to only clients supporting SMB encryption so that data-in-transit is always encrypted. When enforcement is turned on for encryption of data-in-transit, users accessing the file system from clients that do not support SMB 3.0 encryption will not be able to access file shares for which encryption is turned on.

You can also control encryption of data-in-transit on a file share-level instead of file server-level. You can use file share-level encryption controls to have a mix of encrypted and unencrypted file shares on the same file system if you want to enforce encryption in-transit for some file shares that have sensitive data, and allow all users to access some other file shares. Server-wide encryption has precedence over share level encryption. If global encryption is enabled, you cannot selectively disable encryption for certain shares.

You can manage user in-transit encryption on your file system using the Amazon FSx CLI for remote management on PowerShell. To learn how to use this CLI, see Getting started with the Amazon FSx CLI for remote management on PowerShell.

Following are commands that you can use to manage user in-transit encryption on your file system.

Encryption in Transit Command Description

Get-FSxSmbServerConfiguration

Retrieves the Server Message Block (SMB) server configuration.

Set-FSxSmbServerConfiguration

This command has two options for configuring in-transit encryption:

  • -EncryptData $True|$False – Set this parameter to True to turn on in-transit data encryption. Set this parameter to False to turn off in-transit data encryption.

  • -RejectUnencryptedAccess $True|$False – Set this parameter to True to allow access to clients that do not support encryption. Set this parameter to False to disallow access to clients that do not support encryption.

The online help for each command provides a reference of all command options. To access this help, run the command with -?, for example Get-FSxSmbServerConfiguration -?.