Running Aspera transfer servers with FIPs mode enabled


FIPs, or Federal Information Processing Standard is a computer security standard established by the US government. Aspera transfer servers (Enterprise Server, Connect Server, P2P) work as expected when FIPs mode is enabled.

To properly transfer with FIPs mode enabled, perform the following configuration changes.


1. Configure your transfer server for FIPs compliance

You can accomplish this either through the transfer server UI or on the command line.

In the UI, click the Configuration button. Go to the Authorization tab and scroll to the Do encrypted transfers in FIPS 140-2-certified encryption mode setting. Select Override, then change the value to true.

Alternatively, you can configure FIPs compliance on the command line.

To apply FIPS compliance for all transfers, run the following command:

asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true"

To apply FIPS compliance for a specific user, run the following command:

asconfigurator -x "set_user_data;user_name,example_user;transfer_encryption_fips_mode,true"
Note that with FIPS compliance turned on, any transfers using ciphers with hash algorirthms that are not FIPS compliant will be aborted.

2. Ensure your sshd_config file is configured correctly

To be FIPs compliant, your sshd_config file should only contain ciphers and MACs from the following list:

Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512

You can check your sshd_config file here:

  • Linux: /etc/ssh/sshd_config
  • Windows: C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config

3. (for transfer servers version 3.6.0 and below) Ensure a compatible resume option is configured

The transfer resume option configures what to check in a file before resuming interrupted transfers.

In order to be FIPs compliant, your resume option must be set to one of the following:

  • 0: The default value, where files are always retransferred in their entirety
  • 1: Where file attributes are matched before resuming the transfer at its stoppage point

The resume option is set with the k option in ascp:

# ascp -k 1 ...

In a future release of Aspera transfer servers, the other resume options (which perform checksums) will use FIPs-supported algorithms and thus be available to use with FIPs mode enabled.

Powered by Zendesk