aspera.conf - Server-Side Encryption at Rest (EAR)

Capabilities

When files are uploaded from an Aspera client to the server, server-side encryption-at-rest (EAR) saves files on disk in an encrypted state. When downloaded from the server, server-side EAR first decrypts files automatically, and then the transferred files are written to the client's disk in an unencrypted state. Server-side EAR provides the following advantages:

Limitations and Considerations

Configuring Server-Side EAR

  1. Set the docroot in URI format.
    Server-side EAR requires the storage to have a docroot in URI format, such that it is prefixed with file:///. The third slash ( / ) does not serve as the root slash for an absolute path. For example, a docroot of /home/xfer would be set as file:////home/xfer and a docroot of C:\Users\xfer would be set as file:///C:\Users\xfer.

    To set the docroot for a user, group, or default, from the command line, run the appropriate asconfigurator command:

    > asconfigurator -x "set_user_data;user_name,username;absolute,file:///filepath"
    > asconfigurator -x "set_group_data;group_name,group_name;absolute,file:///filepath"
    > asconfigurator -x "set_node_data;absolute,file:///filepath"

    This creates lines similar to the example below, in which the user asp1 has a docroot set to file:////Users/testing/Public:

    <user>
      <name>asp1</name>
      ...
      <file_system>
        <access>
          <paths>
            <path>
              <absolute>file:////Users/testing/Public</absolute>
            </path>
          </paths>
        </access>
      </file_system>
      ...
    </user>

    To manually edit aspera.conf, open it from the following location and insert text similar to the example above.

    C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera.conf

  2. Set the password.
    The server-side EAR password can be set for all users (global), per group, or per user. You can specify these settings using asconfigurator or manually editing aspera.conf:

    To set the EAR password for a user, group, or default, run the appropriate command:

    > asconfigurator -x "set_user_data;user_name,username;transfer_encryption_content_protection_secret,passphrase"
    > asconfigurator -x "set_group_data;group_name,group_name;transfer_encryption_content_protection_secret,passphrase"
    > asconfigurator -x "set_node_data;transfer_encryption_content_protection_secret,passphrase"

    Setting the default value (gobal setting) creates the following text in aspera.conf:

    <default>
      <transfer>
        <encryption>
          <content_protection_secret>passphrase</content_protection_secret>
        </encryption>
      </transfer>
      ...
    </default>

    Setting a value for a user, such as asp1, creates the following text in aspera.conf:

    <user>
      <name>asp1</name>
        <transfer>
          <encryption>
            <content_protection_secret>passphrase</content_protection_secret>
          </encryption>
        </transfer>
      ...
    </user>

    To manually add a passphrase, open aspera.conf and insert text similar to the examples above, depending on your specifications.

  3. Optional: Require content protect and/or strong passwords.
    In addition to setting a password, you can set options to cause server-side EAR to fail if a password is not given or if a password is not strong enough. For example, the following asconfigurator command adds both these options for all users (global):
    > asconfigurator -x "set_node_data;transfer_encryption_content_protection_required,true; \
    transfer_encryption_content_protection_strong_pass_required,true"

    This command adds the following text in aspera.conf:

    <default>
      <transfer>
        <encryption>
          <content_protection_secret>passphrase</content_protection_secret>
          <content_protection_required>true</content_protection_required>
          <content_protection_strong_pass_required>true</content_protection_strong_pass_required>
        </encryption>
      </transfer>
      ...
    </default>

    To manually enable these options, open aspera.conf and insert text similar to the example above.

  4. Save your changes to aspera.conf then validate them by running the following command:
    > asuserdata -v