Client-Side Encryption at Rest (EAR)

Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server. The client specifies a password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur during download or later.

You can combine client-side and server-side EAR, in which case files are doubly encrypted on the server.

Servers can require client-side encryption. In this case, transfer that do not use client-side EAR fail with the error message, "Error: Server aborted session: Server requires content protection."

Note: Client-side encryption-at-rest is supported only for ascp transfers, and is not supported for ascp4 or async transfers.

Using Client-Side EAR

Client-side EAR can be set in the GUI or on the ascp command line.

GUI: Go to Connections > connection_name > Security. Select Encrypt uploaded files with a password and set the password. Select Decrypt password-protected files downloaded and enter the password.

Ascp command line: First, set the encryption and decryption password as the environment variable ASPERA_SCP_FILEPASS:

$ export ASPERA_SCP_FILEPASS=password

For uploads (--mode=send), use --file-crypt=encrypt. For downloads (--mode=recv), use --file-crypt=decrypt.

$ ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
$ ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination

For more command line examples, see Ascp General Examples.

Note: When a transfer to Connect Server falls back to HTTP or HTTPS, client-side EAR is no longer supported. If HTTP fallback occurs while uploading, then the files are NOT encrypted. If HTTP fallback occurs while downloading, then the files remain encrypted.