Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?
Volume Gateway documentation has been moved to What is Volume Gateway?
Tape Gateway documentation has been moved to What is Tape Gateway?
Data encryption using AWS KMS
Storage Gateway uses SSL/TLS (Secure Socket Layers/Transport Layer Security) to encrypt data that is transferred between your gateway appliance and AWS storage. By default, Storage Gateway uses Amazon S3-Managed encryption keys (SSE-S3) to server-side encrypt all data it stores in Amazon S3. You have an option to use the Storage Gateway API to configure your gateway to encrypt data stored in the cloud using server-side encryption with AWS Key Management Service (SSE-KMS) keys.
Encrypting a file share
For a file share, you can configure your gateway to encrypt your objects with AWS KMS–managed keys by using SSE-KMS. For information on using the Storage Gateway API to encrypt data written to a file share, see CreateNFSFileShare in the AWS Storage Gateway API Reference.
When using AWS KMS to encrypt your data, keep the following in mind:
-
Your data is encrypted at rest in the cloud. That is, the data is encrypted in Amazon S3.
-
IAM users must have the required permissions to call the AWS KMS API operations. For more information, see Using IAM policies with AWS KMS in the AWS Key Management Service Developer Guide.
Important
When you use an AWS KMS key for server-side encryption, you must choose a symmetric key. Storage Gateway does not support asymmetric keys. For more information, see Using symmetric and asymmetric keys in the AWS Key Management Service Developer Guide.
For more information about AWS KMS, see What is AWS Key Management Service?
