Creating an Encrypted File System

You can create an encrypted file system using the AWS Management Console, AWS CLI, Amazon EFS API, or AWS SDKs. You can only enable encryption for a file system when you create it.

Amazon EFS integrates with AWS KMS for key management and uses a CMK to encrypt the file system. File system metadata, such as file names, directory names, and directory contents, are encrypted and decrypted using an AWS managed CMK.

The contents of your files, or file data, is encrypted and decrypted using a CMK that you choose. The CMK can be one of three types:

Your organization might be subject to corporate or regulatory policies that require complete control in terms of creation, rotation, deletion as well as the access control and usage policy for the CMKs. If so, we recommend that you use a customer managed CMK. In other scenarios, you can use an AWS managed CMK.

All users have an AWS-managed CMK for Amazon EFS, whose alias is aws/elasticfilesystem. AWS manages this CMK’s key policy and you cannot change it. There is no cost for creating and storing AWS managed CMKs.

If you decide to use a customer managed CMK to encrypt your file system, select the key alias of the customer managed CMK that you own. Alternatively, you can enter the Amazon Resource Name (ARN) of a customer managed CMK that is owned by a different account. With a customer managed CMK that you own, you control which users and services can use the key through key policies and key grants.

You also control the life span and rotation of these keys by choosing when to disable, re-enable, delete, or revoke access to them. For information about managing access to keys in other AWS accounts, see Changing a key policy in the AWS KMS Developer Guide.

For more information about how to manage customer managed CMKs, see KMS keys (formerly CMKs) in the AWS KMS Developer Guide.

The following sections discuss how to create an encrypted file system using the AWS Management Console and using the AWS CLI.