How to enable encryption at rest (Enterprise Edition only)

The Enterprise Edition supports encryption at rest (EAR) from version 11.0. This means that if this feature is enabled for a particular user, all files transferred to the server as that user will be automatically encrypted as they are written onto the server file system. Users directly logged onto the server machine will not be able to decrypt the files. The encryption used is 128 bit AES.

Once a file is encrypted, the only way to decrypt it is by transferring it (i.e. downloading it) from the server, or via the decrypt administrator command run from the SSH command-line. Note that EAR has implications for events that might copy or post-process uploaded files. If EAR is enabled, uploaded files will not be able to be decrypted by other programs or by process triggers. For example, as FTP scripts are executed by an external program, they cannot decrypt encrypted files. Batch files and standalone executables also cannot decrypt server files. The exception is JSS process triggers, which are fully integrated into the server filesystem and can decrypt files. These should be used if encrypted files need to be decrypted by process triggers.

To enable encryption at rest for a user, the user setting "Encrypt stored files" must be enabled, as well as the site-wide "Encrypt stored files" setting. Turning off the site-wide setting disables encryption at rest for all users. Files that are already encrypted will still be automatically decrypted when downloaded, but no new files will be encrypted.