Configuring Encryption

To configure encryption for IBM Aspera Faspex, navigate to Server > Security > Encryption.

Select the "Encrypt transfers" checkbox to enable encryption.
Faspex transfers as well as HTTP fallback transfers will now be encrypted using AES-128.
Select an option for Encryption-at-Rest (EAR).
- Always: Always use EAR. When enabled, users will be required, on upload, to enter a password to encrypt the files on the server. Subsequently, recipients will be required to enter the password to decrypt protected files as they are being downloaded. Note that if a user elects to keep downloaded files encrypted, then they do not need to enter a password until they attempt to decrypt the files locally.
  Note: This feature is not fully enforced unless the Faspex Server Administrator also updates the aspera.conf configuration file (which is not automatically modified by Faspex). See the next step for more information.
- Never: (this is the default for new installations) Do not use EAR
- Optional: User may choose at send time whether to encrypt or not
- Allow dropboxes to have their own encryption settings: (off is the default for new installations) If this global setting is unchecked, you cannot set EAR for individual dropboxes. If checked, you can adjust EAR settings for each dropbox. Please see Create and Manage Dropboxes for details.
Finish configuring in aspera.conf.
The Use Encryption-at-Rest checkbox setting--when enabled--requires users, on upload, to enter a password to encrypt the files on the server. Package recipients will be required to enter the password to decrypt protected files as they are being downloaded. If an user elects to keep downloaded files encrypted, then they do not need to enter a password until they attempt to decrypt the files locally. Encryption-at-Rest is supported by the IBM Aspera Connect Browser Plug-in, starting with Version 2.2.0. To ensure that encryption and decryption occur, log in to your Faspex Server GUI, select Server > Configuration > Transfers and scroll down to the Aspera Connect Version section. Please mark the Enforce minimum version checkbox and specify "2.2.0" or higher in the Version field.
Important: The Use Encryption-at-Rest feature is not fully enforced unless the Faspex Administrator also updates the aspera.conf configuration file (which is not automatically modified by Faspex). The Administrator may update aspera.conf manually or through the IBM Aspera Enterprise Server GUI (please refer to href="http://www.asperasoft.com/en/documentation/1" for details on the GUI). Within aspera.conf, the Content Protection Required and Content Protection Strong Password Required must be enabled.
You can find the aspera.conf file at:
```
C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera.conf
```
The following code block demonstrates manually updating aspera.conf:
```
<transfer>
...
 <encryption>
    <content_protection_strong_pass_required>  
       true
    </content_protection_strong_pass_required>
    <content_protection_required>              
       true
    </content_protection_required>
	... 
 </encryption>
... 
</transfer>
```
Important: The Aspera HTTP Fallback Server provides a secondary transfer method for clients that don't have the Internet connectivity required for Aspera accelerated transfers (By default, UDP port 33001). When UDP connectivity is lost or cannot be established, the transfer will be continued over the HTTP protocol. If transfer encryption is enabled, the transfer will continue over HTTPS. For details on configuring HTTP Fallback for Faspex, please refer to Configuring HTTP and HTTPS Fallback.