Client-Side Encryption-at-Rest (EAR)

Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server, a process known as client-side encryption-at-rest (EAR). The client specifies an encryption password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur as the files are downloaded or later once they are physically moved to a computer with no network connection.

Implementation Notes:

  • Client-side and server-side EAR can be used simultaneously, in which case files are doubly encrypted on the server.
  • Servers can require client-side encryption. In this case, transfers that do not use client-side EAR fail with the error message, "Error: Server aborted session: Server requires content protection."
  • Client-side encryption-at-rest is supported only for ascp transfers, and is not supported for ascp4 or async transfers.

Using Client-Side EAR

Client-side EAR can be set in the GUI or in the ascp command line.

GUI: Go to Connections > connection_name > Security. Select Encrypt uploaded files with a password and set the password. Select Decrypt password-protected files downloaded and enter the password.

Ascp command line: First, set the encryption and decryption password as the environment variable ASPERA_SCP_FILEPASS:

$ export ASPERA_SCP_FILEPASS=password

For uploads (--mode=send), use --file-crypt=encrypt. For downloads (--mode=recv), use --file-crypt=decrypt.

$ ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
$ ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination

For more command line examples, see Ascp General Examples.

Note: When a transfer to HST Server falls back to HTTP or HTTPS, client-side EAR is no longer supported. If HTTP fallback occurs while uploading, then the files are NOT encrypted. If HTTP fallback occurs while downloading, then the files remain encrypted.