Data encryption
To enhance data security and compliance in the Cloud File System (CFS), CFS supports file system encryption. When enabled, CFS encrypts data written to the file system and automatically decrypts it when users read the data. This document details the usage limitations, encryption methods, and operations related to file system encryption.
Prerequisites
When using KMS service (a paid product; carefully read KMS Billing Instructions before use) for data encryption for the first time, first activate KMS service, create a key in KMS, and authorize CFS to access the KMS key.
Usage restrictions
- File system encryption can only be enabled during the creation of a CFS file system.
- Currently, CFS file systems with encryption enabled cannot have encryption disabled.
- The file system encryption feature is available only in the Beijing, Guangzhou, and Suzhou regions.
Encryption method
When you have high security and compliance requirements for data stored in the CFS, it is recommended to enable the file system encryption function. The file system encryption key supports common industry standards such as AES, RSA, SM1, SM2, SM4 and other encryption algorithms. File system encryption keys rely on the KMS for generation and management. KMS is a security management service that complies with national requirements by using HSM devices to securely store keys, maximizing confidentiality, integrity, and availability of the keys. For more information, please refer to Baidu AI Cloud Key Management Service.
Operation types
Enable file system encryption
- When creating a file system in the CFS file system console, enable file system encryption.
- Select an enabled KMS key and click OK to create an encrypted file system.
Key change
If you need to change the KMS key during file system encryption, modify it from the basic information page of the corresponding CFS file system.
