Server-Side Encryption at Rest (EAR)

Capabilities

When files are uploaded from an Aspera client to the server, server-side encryption-at-rest (EAR) saves files on disk in an encrypted state. When downloaded from the server, server-side EAR first decrypts files automatically, and then the transferred files are written to the client's disk in an unencrypted state. Server-side EAR provides the following advantages:

Limitations and Considerations

Configuring Server-Side EAR

  1. Set the docroot in URI format.
    Server-side EAR requires the storage to have a docroot in URI format, such that it is prefixed with file:///. The third slash ( / ) does not serve as the root slash for an absolute path. For example, a docroot of /home/xfer would be set as file:////home/xfer and a docroot of C:\Users\xfer would be set as file:///C:\Users\xfer.

    To configure the docroot options, click Configuration and set configurations for Global, Groups, or Users under their respective Docroot tabs. Select Override in the setting row to set a docroot and adjust read, write, and browse privileges. User docroot settings take precedence over group settings, which take precedence over global settings.

    Bring up the Server Configuration window

    Docroot configuration options.

  2. Set the password.
    The server-side EAR password can be set for all users (global), per group, or per user. In the Server Configuration dialog, click the Authorization tab and locate the setting for Content Protection Secret. Select the override box and enter the password.

  3. Optional: Require encryption and/or a strong password.
    In addition to setting a password, you can set options to cause server-side EAR to fail if a password is not given or if a password is not strong enough. In the Authorization tab, select the override box next to Strong Password Required for Content Encryption and Content Protection Required and select true.