Skip to content

Encryption Data Configuration#

Amazon EFS provides encryption for both data in transit and data at rest, ensuring that the data remains secure when stored and while being accessed. Amazon S3 Gateway can be used to mount volumes that map S3 buckets, while encryption is handled by S3 and through the network protocol.

Info

More information about the two above mentioned methods can be found here ⧉.

Encryption in transit#

Protects the data while it is being moved from one place to another. This ensures that it can't be intercepted or read while it's being sent over a network.

Features#

  • It acts when the data is moved between two systems, such as a computer and a cloud service or between services within a cloud.
    • The data is encrypted during transmission using protocols like TLS, which ensures that no one can intercept and read the data while it's being sent over a network.
    • The main goal of this process is to protect data from being intercepted while it is moving across a network.

    • It is supported using TLS to ensure that the communication between the client (Kubernetes) and EFS is encrypted.

      Info

      To learn more about this topic, go to the Encrypting data in transit ⧉ page in the Amazon Elastic File System User Guide.

Volumes#

  • When using S3 Gateway, the data in transit between the application and the gateway may not be encrypted by default over NFS.
  • However, once the data is transferred from the gateway to Amazon S3, it is encrypted using HTTPS that ensures that data is secure during the process between the gateway and the S3 bucket.

Encryption at rest#

Protects the data onces it reaches its destination and is stored on a disk, database, or in the cloud. This ensures that if someone gains unauthorized access to the physical storage, they won't be able to read the data without the decryption keys.

Features#

  • Amazon EFS encrypts the data at rest using AWS Key Management Service.
  • The data and metadata are encrypted with the AES-256 encryption algorithm.
  • It is possible to choose between AWS-managed key (default) or a customer-managed key in AWS KMS for greater control over the encryption.

  • This method is enabled when the EFS file system is created, and after that, all data written to the file system will be encrypted.

    Info

    To learn more about this topic, go to the Encrypting data at rest ⧉ page in the Amazon Elastic File System User Guide.

Volumes#

  • Data stored in Amazon S3 is encrypted at rest using Server-Side Encryption (SSE). There are three main options:

    • SSE-S3 (Server-Side Encryption with S3-Managed Keys):
      • S3 automatically encrypts your data using AES-256 (Advanced Encryption Standard) without requiring user involvement.
      • AWS manages both the encryption and decryption processes seamlessly. Suitable for use cases where simplicity and minimal configuration are required.
    • SSE-KMS (Server-side Encryption with Customer-Provided Keys)
      • Data is encrypted using keys managed by AWS KMS.
      • The user can control and audit the usage of the encryption keys.
      • It provides additional security features like fine-grained permissions and key rotation.
    • SSE-C (Server-Side Encryption with Customer-Provided Keys):
      • The user provides the encryption keys for S3 to use when encrypting and decrypting data.
      • S3 does not store the encryption key, so it must be provided with each request.