Use Aspera-managed keys for server-side encryption at rest

Edit online

You can apply Aspera two-tier AES encryption to secure your data in storage attached to your AoC organization. This article describes the AoC-native key-management capability and how to apply it to secure your data.

When you apply Aspera's server-side encryption at rest (SSEAR), you can choose either of two key-management strategies. You can use Aspera's native key-management function, or you can integrate a key-management service to manage your own encryption key. In both cases, Aspera protects your data using a two-tier, AES-based encryption hierarchy.

Using Aspera-managed keys

Edit online
This is an overview of the encryption process when you choose to use Aspera-managed keys.
  • You create a secret passphrase (also called the content protection secret).
  • Aspera uses a randomly-generated data encryption key (DEK) to encrypt your data using the AES algorithm.
  • Aspera combines your passphrase with other unique data and uses the AES algorithm to encrypt the DEK.
  • Aspera saves the encrypted DEK in a metadata file, along with the encrypted customer data, in the customer’s cloud storage.
  • After encryption, Aspera securely discards the unencrypted DEK. Unencrypted keys are never stored in AoC, on the node, or in the storage.
  • To decrypt, Aspera uses unique data combined with metadata from the metadata file to decrypt the DEK, then uses the DEK to decrypt customer data.
Important: It is your responsibility to manage your secret passphrase. You may need it to access your content in storage directly, rather than through Aspera on Cloud.

Implementation notes

Edit online
  • Supported cloud platforms:
  • Supported Aspera node types:
    • Customer-managed tethered nodes
    • Aspera-managed auto-scale clusters (ATS)
  • You must store and manage the secret passphrase (step 6 in the following procedure) according to your local site security practices. You may need it to access your data outside AoC.
  • You can apply Aspera SSEAR in addition to or instead of encryption options offered by your cloud provider.
  • You can enable encryption only on nodes that are not configured for watermarking. This applies to both Aspera SSEAR and cloud-provider encryption. See this article for details.

Procedure

Edit online
Use this procedure for each node to encrypt.
Note: To complete this procedure on an existing node, you need the access key secret for the node.

To apply Aspera SSEAR to an existing node using Aspera-managed keys, do the following:

  1. Go to Admin > Nodes and storage > Nodes.
  2. Select the intended node by clicking the node row.
  3. Enter the access key secret and click Log in.
  4. In the Details tab, go to Aspera encryption at rest.
  5. In the Key management method field, select Use Aspera-managed keys.
  6. In the next field, enter your secret passphrase.
    Note: Save this passphrase according to your local site security practices.
  7. Click Save.
Your data on this node is protected using Aspera's two-tier encryption hierarchy and Aspera-managed keys.
Note: Once you apply encryption at rest, you cannot remove or change it.
Note: Encryption applies only to new data that you upload after you apply encryption. Data that exists on the node before you encrypt remains unencrypted.