How to enable SSE-KMS with Aspera on Demand


The 3.6.1 release of Aspera on Demand includes support for the Server Side Encryption at Rest using AWS Key Management Service (SSE-KMS).  This KB article describes how to configure Aspera On Demand with that option.


Docmentation for the Amazon SSE-KMS encryption process is available. There are two options for configuring SSE-KMS.  You can enable this feature systemwide, by configuring the file /opt/aspera/etc/trapd/  Alternately, you can specify this feature on a per-docroot basis, by adding it to the docroot. If enabled server-wide via the file all files uploaded with this server to S3 will be encrypted and all files downloaded will be decrypted. If enabled for a specific docroot (e.g. system use) then only files transferred with that user account will be encrypted / decrypted.


  1. Your Aspera server must be version 3.6.1 or later.
  2. This option is only available on Linux version of Aspera.
  3. You need to have root access to your Aspera server for configurations and service restarting.
  4. You have decided if you plan to use the default KMS Key, or prefer to use a specific one.   NOTE: If you want to use a specific one, you will need access to your AWS console, to created a key using the AWS IAM role console. More info about creating keys for KMS can be found in Amazon documentation about key generation.

Procedure - systemwide configuration

  1. Login to your Aspera server, and sudo to the root account.
  2. Edit the file and set the KMS option
    # vi /opt/aspera/etc/trapd/
    Change this:
    # server-side-encryption=NONE

    To this:
  3. If you are using a specific KMS key, you also need to update this configuration option:

    Change the following line
    # server-side-encryption-aws-kms-key-id
    to include your key (NOTE: provide your key, not my example key)
    server-side-encryption-aws-kms-key-id = arn:aws:kms:us-west-2:289669785124:key/9120a367-8204-4752-8b0f-1ca9d90j8ec3
  4. Save and exit the configuration file
  5. Restart the Aspera Trapd service

    For CentOS 6 based systems:
    service asperatrapd stop
    service asperatrapd start

    For CentOS 7+ based system (systemd)
    systemctl stop asperatrapd
    systemctl start asperatrapd

Procedure - individual docroot configuration

Note:  There are a few ways to configure a docroot on the Aspera server; console web UI, asconfigurator, edit aspera.conf directly.  Below we show the use of asconfigurator.

To enable S3 SSE in Aspera, append ?server-side-encryption=AWS_KMS to the S3 docroot of the transfer users.  

Here is an example of the contents of the users docroot:


Note:  my_bucket and my_path should be substituted with your bucket and path. 

If you are using a specific KMS key, the syntax will look like this:


Note: my_bucket and my_path should be substituted with your bucket and path and you need to provide _your_ key, not my example key. 

Here is a full example using the cli tool 'asconfigurator' to set the docroot for the 'xfer' user:

asconfigurator -F "set_user_data;user_name,xfer;absolute,s3://"

Here is a full example using the cli tool 'asconfigurator' to set the docroot for the 'xfer' user:

asconfigurator -F "set_user_data;user_name,xfer;absolute,s3://" 

To learn more about Amazon Server Side Encryption - KMS, please see Amazon's documentation on KMS Server Side Encryption.


You can verify that the setting worked, by viewing the properties of objects via the S3 browser. Navigate to your bucket, select the recently uploaded object and click on properties, and details to view the details of the object. You can see that "Server Side Encryption" is set to AWS KMS.


Powered by Zendesk