Note on Encryption at Rest

Details about Faspex Server's EAR setting

Print this page

As described in Security, the Use Encryption-at-Rest checkbox setting--when enabled--requires users, on upload, to enter a password to encrypt the files on the server. Package recipients will be required to enter the password to decrypt protected files as they are being downloaded. If a user elects to keep downloaded files encrypted, then they do not need to enter a password until they attempt to decrypt the files locally. Encryption-at-Rest is supported by the Aspera Connect Browser Plug-in, starting with Version 2.2.0. To ensure that encryption and decryption occur, log in to your Faspex Server GUI, select Server > Configuration > Transfers and scroll down to the Aspera Connect Version section. Please mark the Enforce minimum version checkbox and specify "2.2.0" or higher in the Version field.

IMPORTANT NOTE: The Use Encryption-at-Rest feature is not fully enforced unless the Faspex Server Administrator also updates the aspera.conf configuration file (which is not automatically modified by Faspex). The Administrator may update aspera.conf manually or through the Enterprise Server GUI (please refer to http://www.asperasoft.com/en/documentation/1 for details on the GUI). Within aspera.conf, the Content Protection Required and Content Protection Strong Password Required must be enabled.

The following code block demonstrates manually updating aspera.conf:

<transfer>
...
 <encryption>
    <content_protection_strong_pass_required>  <!--Strong Password Required for Content Protection-->
       true
    </content_protection_strong_pass_required>
    <content_protection_required>              <!--Content Protection Required-->
       true
    </content_protection_required>
	... 
 </encryption>
... 
</transfer>

IMPORTANT NOTE on using HTTP Fallback with Faspex Server

The Aspera HTTP Fallback Server provides a secondary transfer method for clients that don't have the Internet connectivity required for Aspera accelerated transfers (By default, UDP port 33001). When UDP connectivity is lost or cannot be established, the transfer will be continued over the HTTP protocol. If transfer encryption is enabled, the transfer will continue over HTTPS. For details on configuring HTTP Fallback for Faspex Server, please refer to Configuring HTTP and HTTPS Fallback

When a transfer falls back to HTTP or HTTPS, content protection is no longer supported. If HTTP fallback occurs while downloading, then--despite entering a passphrase--the files will remain encrypted (i.e., enveloped). If HTTP fallback occurs while uploading, then--despite entering a passphrase--the files will NOT be encrypted (i.e., enveloped).