With Amazon FSx for Lustre, you can take automatic daily backups and user-initiated backups of persistent file systems that are not linked to an Amazon S3 durable data repository. Amazon FSx backups are file-system-consistent, highly durable, and incremental. To ensure high durability, Amazon FSx for Lustre stores backups in Amazon Simple Storage Service (Amazon S3) with 99.999999999% (11 9's) durability.


Encrypting the data stored adds a layer of security that is always beneficial. It is preferably used when an organization is subject to corporate or regulatory policies requiring data encryption and metadata at rest.


The data on the EFS storage gets encrypted such that the data and metadata are automatically encrypted before being written to the file system. Similarly, as data and metadata are read, they are automatically decrypted before being presented to the application. 



  1. Sign in to AWS Management Console.

  2. Go to the Amazon FSx service at

  3. Click on Backups in the left navigation pane

  4. Click on the Backup name you want to examine
  5. In the summary KMS Key ID exists, which means backup is encrypted with a particular key


There are two parts to encrypting the FSx for Lustre storage – encryption at rest and in transit.

Encryption of data at rest is done by default upon creating an Amazon FSx for Lustre file system. One can create a persistent or scratch file system based on organisational needs of encrypting or associating data. If you create a persistent file system, you can specify the AWS KMS key (AWS or customer-managed CMK) to encrypt the data. If you create a scratch file system, the data is encrypted using keys managed by Amazon FSx.   

Scratch 2 and persistent file systems automatically encrypt data in transit when they are accessed from Amazon EC2 instances that support encryption in transit in the regions that support this service.


Data Encryption in Amazon FSx for Lustre - Amazon FSx for Lustre