Client-Side Encryption-at-Rest (EAR)
Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server, a process known as client-side encryption-at-rest (EAR). The client specifies an encryption password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur as the files are downloaded or later once they are physically moved to a computer with no network connection.
Implementation Notes:
- Client-side and server-side EAR can be used simultaneously, in which case files are doubly encrypted on the server.
- Servers can require client-side encryption. In this case, transfers that do not use client-side EAR fail with the error message "Error: Server aborted session: Server requires content protection".
- Client-side encryption-at-rest is supported only for ascp transfers, and is not supported for ascp4 or async transfers.
Using Client-Side EAR
Client-side EAR can be set in the GUI or in the ascp command line.
GUI: Go to Connections > connection_name > Security. Select Encrypt uploaded files with a password and set the password. Select Decrypt password-protected files downloaded and enter the password.
Ascp command line:
First, set the encryption and decryption password as the environment variable
ASPERA_SCP_FILEPASS
:
> set
ASPERA_SCP_FILEPASS=password
For uploads (--mode=send
), use --file-crypt=encrypt
. For
downloads (--mode=recv
), use --file-crypt=decrypt
.
> ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
> ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination
For more command line examples, see Ascp general examples.
Encrypting and decrypting files outside of a transfer
For sensitive content, do not store unencrypted content on any computer with network access. Use an external drive to physically move encrypted files between computers. HSTE include the asprotect and asunprotect command line tools that can be used to encrypt and decrypt files.
- To encrypt a file before you move it to a computer with network access, run the following
command:
>
set
ASPERA_SCP_FILEPASS=password;asprotect -o file1.aspera-env file1 - To download client-side-encrypted files without decrypting them immediately, run the transfer
without decryption enabled (clear Decrypt password-protected
files downloaded in the GUI or do not specify
--file-crypt=decrypt
on the ascp command line). - To decrypt encrypted files once they are on a computer with no network access, run the following
command:
>
set
ASPERA_SCP_FILEPASS=password;asunprotect -o file1 file1.aspera-env