CoreSSH Server Encryption at Rest

Requirements: CoreSSH Server

Introduction

CoreSSH Server is an easy-to-use solution for managing the server-side of secure file transfer. Files that reside on the server may optionally be encrypted on disk. Encryption at rest provides additional security. File content is decrypted on demand as clients interact with the server, and no decrypted content is ever written to disk.

Enabling Encryption

To enable encryption at rest, navigate to the Settings tab and scroll down. Click the Enable... button. Note that the server cannot be running while encryption is enabled so any active connections will be disconnected.

The application will then prompt for an encryption password which will be used to derive encryption keys. The password itself will not be saved and cannot be recovered if it is lost or misplaced.

Once you enter a password and click OK the application will encrypt all the existing files in the server root directory specified in the Default Root Directory setting and in the home directories of all configured users.

After the initial encryption completes, it is expected that files will only be added to the server's filesystem using the SFTP protocol. Plain files created directly on disk alongside encrypted files will not automatically be encrypted and will not be available to users.

Encryption Format Notes

Files are encrypted using standard disk encryption techniques leveraging the XTS-AES 256-bit block cipher algorithm. The encrypted files on disk will have an .aesf file extension. This file format is the same format as used by AES Drive. Please see The AES Drive documentation for details.