Client-Side Encryption at Rest (EAR)
Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server. The client specifies a password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur during download or later.
You can combine client-side and server-side EAR, in which case files are doubly encrypted on the server.
Servers can require client-side encryption. In this case, transfer that do not use client-side EAR fail with the error message, "Error: Server aborted session: Server requires content protection."
Using Client-Side EAR
Client-side EAR can be set in the GUI or on the ascp command line.
GUI: Go to Connections > connection_name > Security. Select Encrypt uploaded files with a password and set the password. Select Decrypt password-protected files downloaded and enter the password.
Ascp command line:
First, set the encryption and decryption password as the environment variable
ASPERA_SCP_FILEPASS
:
# export
ASPERA_SCP_FILEPASS=password
For uploads (--mode=send
), use --file-crypt=encrypt
. For
downloads (--mode=recv
), use --file-crypt=decrypt
.
# ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
# ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination
For more command line examples, see Ascp General Examples.