Data encryption using AWS KMS

Storage Gateway uses SSL/TLS (Secure Socket Layers/Transport Layer Security) to encrypt data that is transferred between your gateway appliance and AWS storage. By default, Storage Gateway uses Amazon S3-Managed encryption keys (SSE-S3) to server-side encrypt all data it stores in Amazon S3. You have an option to use the Storage Gateway API to configure your gateway to encrypt data stored in the cloud using server-side encryption with AWS Key Management Service (SSE-KMS) keys.

Encrypting a file share

You can configure the file shares on your S3 File Gateway to encrypt stored objects with AWS KMS–managed keys by using SSE-KMS or DSSE-KMS. For information about supported file share encryption methods, see Encrypt objects stored by File Gateway in Amazon S3.

When using AWS KMS to encrypt your data, keep the following in mind:

Your data is encrypted at rest in the cloud. That is, the data is encrypted in Amazon S3.
IAM users must have the required permissions to call the AWS KMS API operations. For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.

Important

When you use an AWS KMS key for server-side encryption, you must choose a symmetric key. Storage Gateway does not support asymmetric keys. For more information, see Using symmetric and asymmetric keys in the AWS Key Management Service Developer Guide.

For more information about AWS KMS, see What is AWS Key Management Service?

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

Identity and access management