Client-Side Encryption-at-Rest (EAR)
Aspera clients can set their transfers to encrypt content that they upload to a server while it is in transit and stored on the server, a process known as client-side encryption-at-rest (EAR). The client specifies an encryption password and the files are uploaded to the server with a .aspera-env extension. Anyone downloading these .aspera-env files must have the password to decrypt them, and decryption can occur as the files are downloaded or later once they are physically moved to a computer with no network connection.
Implementation Notes:
- Client-side and server-side EAR can be used simultaneously, in which case files are doubly encrypted on the server.
- Servers can require client-side encryption. In this case, transfers that do not use client-side EAR fail with the error message, "Error: Server aborted session: Server requires content protection."
- Client-side encryption-at-rest is supported only for ascp transfers, and is not supported for ascp4 or async transfers.
Using Client-Side EAR
Client-side EAR can be set in the GUI or in the ascp command line.
GUI: Go to Connections > connection_name > Security. Select Encrypt uploaded files with a password and set the password. Select Decrypt password-protected files downloaded and enter the password.
Ascp command line:
First, set the encryption and decryption password as the environment variable
ASPERA_SCP_FILEPASS
:
$ export
ASPERA_SCP_FILEPASS=password
For uploads (--mode=send
), use --file-crypt=encrypt
. For
downloads (--mode=recv
), use --file-crypt=decrypt
.
$ ascp --mode=send --file-crypt=encrypt source_file user@host:/remote_destination
$ ascp --mode=recv --file-crypt=decrypt user@host:/source_path/file.aspera-env local_destination
For more command line examples, see Ascp General Examples.