Customer Managed Encryption Keys for Cloud Storage

Creating the KMS Key and Granting ShareFile Access

Note:For improved performance, it is recommended to create the KMS key in a similar region as your ShareFile zone. For example: if using the US-EastCitrix-managed StorageZone, create the KMS key in the US-East region.

1. Go to the KMS Console website: or search for “AWS Key Management Service” and click on “Create a key”


2. From the “Create Key” wizard, select these values, then click next:

Key type: Symmetric

Key material origin: KMS

Regionality: Single-Region key


3. Add an alias for the key, and optionally a description and label. Click Next.


5. Under define key permissions, you can leave the default values.


5. Under Define key usage permissions, we need to click on the option “Add Another AWS account” then you need to enter the ShareFile external account ID. Then click on next to continue.

Note: Please contact ShareFile Customer Support to obtain the external account ID.


User-added image

6. Click Finish to review and complete the process. After that, select the Key that you just created to check its properties. Then you need to copy the ARN and send it to ShareFile Support. For example: provide the information in the following format:



Configure CloudTrail Logging

1. Go to or search for “Cloud Trail” . Click on Create Trial from the dashboard


2. Add the Trial Name, create a new S3 bucket and provide the appropriate Bucket name.


3. Under the “Customer managed AWS KMS key” section, choose existing, and then search for the AWS KMS key you previously created.


Validating Key Operations

A. Test Disabling the KMS Key

  • Perform some test uploads and downloads to your Zone
  • From the AWS Console, select your key and choose Disable.
  • Wait a few minutes and then try to upload or download to your Zone once more. You should see the operations fail.
  • Re-enable the KMS key and verify that you can upload and download successfully.
User-added image

B. Test Revoking the ShareFile External Account

WARNING – Do not delete the Master Key on AWS, as that could permanently revoke access to ShareFile data encrypted with the Master Key.

  • Edit the KMS Key and browse to External Accounts
  • Select the “Remove” option to revoke ShareFile access to this key (save the value before deletion)
  • Wait a few minutes and then attempt to upload or download. You should see the operations fail.
  • Re-add the external account.
  • Wait a few minutes and then reattempt uploads or downloads. The operations should be successful.

C. Verify Activity via CloudTrail Logs

  • After performing some uploads and downloads, check CloudTrails activity. (may take ~10 minutes to populate)
  • Verify you can see Activity such as username, filename, and operation (Upload or Download).
  • Note – File Names that contain special characters or Unicode characters will appear as URL-encoded in the CloudTrail logs. To view the filename, you can use a URL decoder.
User-added image


Leave a Reply