Content encryption: In flight and at rest

Edit online

Aspera on Cloud offers two forms of encryption for contents of digital packages. Encryption in flight protects contents in transit. Encryption at rest maintains protection at the remote destination until the recipient applies the proper passphrase.

The Aspera on Cloud Packages app automatically applies in-flight encryption to every package sent by every user of the app; this in-flight encryption protects content 'over the wire' during the transfer.

Users can apply an additional 'at-rest' security measure that applies encryption to the package at the destination. Even after download on the receiving end, the package remains encrypted until the recipient applies the password associated with the package.

There are two ways to apply password protection to a package:

  • The sender can apply password protection at the time of sending. The sender creates a password for the package in the Send Files form, then delivers the password to the recipients according to local site security practice. For a procedure, see Sending Files and Folders.
  • The administrator can require that all sent packages have password protection automatically applied. Again, the sender must create and confirm the password to apply to the package, and deliver the password to recipients according to local site security practice. See Require encryption at rest.

Encryption in Flight

Every time you transfer content using any Aspera web app, the underlying FASP protocol uses the Cipher Feedback with Checksum mechanism to ensure the security and integrity of data in flight.

Each packet sent in a session is encrypted independently. Transport encryption uses two symmetric 128-bit AES session keys, randomly generated at session initiation. Dual-key encryption and decryption allows packet-by-packet verification at the remote end, and non-conforming packets are discarded.

Encryption at Rest (Password Protection)

When you choose to apply encryption at rest (password protection), you are applying an additional layer of security. A 128-bit AES key used for each session is generated at random, and then is itself encrypted and stored along with the encrypted file.

At the remote end, the session key is extracted by decrypting with a secure hash of the password, which you apply to the package when you send it. Security depends on the length and complexity of the password you apply; for most uses, five normal words in unfamiliar order is sufficient.

The recipient must apply the same password to decrypt the package content. Until that password is applied, the content is secure and inaccessible.