Client-Side Encryption-at-Rest (EAR)

Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server, a process known as client-side encryption-at-rest (EAR). The client specifies an encryption password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur as the files are downloaded or later once they are physically moved to a computer with no network connection.

Implementation Notes:

  • Client-side and server-side EAR can be used simultaneously, in which case files are doubly encrypted on the server.
  • Servers can require client-side encryption. In this case, transfers that do not use client-side EAR fail with the error message "Error: Server aborted session: Server requires content protection".
  • Client-side encryption-at-rest is supported only for ascp transfers, and is not supported for ascp4 or async transfers.

Using Client-Side EAR

Client-side EAR can be set in the ascp command line.

First, set the encryption and decryption password as the environment variable ASPERA_SCP_FILEPASS:

# export ASPERA_SCP_FILEPASS=password

For uploads (--mode=send), use --file-crypt=encrypt. For downloads (--mode=recv), use --file-crypt=decrypt.

# ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
# ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination

For more command line examples, see Ascp general examples.

Note: When a transfer to HSTS falls back to HTTP or HTTPS, client-side EAR is no longer supported. If HTTP fallback occurs while uploading, then the files are NOT encrypted. If HTTP fallback occurs while downloading, then the files remain encrypted.

Encrypting and decrypting files outside of a transfer

For sensitive content, do not store unencrypted content on any computer with network access. Use an external drive to physically move encrypted files between computers. Desktop Client include the asprotect and asunprotect command line tools that can be used to encrypt and decrypt files.

  • To encrypt a file before you move it to a computer with network access, run the following command:
    # export ASPERA_SCP_FILEPASS=password;/opt/aspera/bin/asprotect -o file1.aspera-env file1
  • To download client-side-encrypted files without decrypting them immediately, run the transfer without decryption enabled (do not specify --file-crypt=decrypt on the ascp command line).
  • To decrypt encrypted files once they are on a computer with no network access, run the following command:
    # export ASPERA_SCP_FILEPASS=password;/opt/aspera/bin/asunprotect -o file1 file1.aspera-env