Repository encryption certificate

Repository encryption increases SecureTransport security by avoiding storing unencrypted files. Repository encryption can be enabled on different levels (for example, per account). When you enable repository encryption, SecureTransport encrypts (according to the activated repository encryption level) each file that it pulls from a partner site or that a client pushes to it. When SecureTransport pushes a file to a partner site or a client pulls a file from it, SecureTransport decrypts the file. SecureTransport encrypts and decrypts each file dynamically in memory as it receives and sends it, so the files never exist unencrypted in the storage of the host system.

  1. Generate a self-issued local certificate or import a PKCS#12 file. See Generate a self-issued server certificate and Import a local certificate.
  2. Set the value of the Stfs.Encryption.CertAlias server configuration parameter to the alias of the certificate. SecureTransport uses this certificate to encrypt and decrypt files. See View and change server configuration parameters.
  3. SecureTransport prevents you from deleting the certificate referenced by Stfs.Encryption.CertAlias.
  4. Note If Stfs.Encryption.CertAlias is not set, Repository Encryption will not be enabled.
  5. To choose the encryption algorithm, set the value of the Stfs.Encryption.Algorithm server configuration parameter to one of the following values:
    • AES128 (default)
    • AES256
    • 3DES
  6. See View and change server configuration parameters.
  7. To configure SecureTransport to compute the MD5 checksum for an uploaded file dynamically as the file is uploaded, set the value of the Stfs.Hash.HashOnUpload server configuration parameter to true. When the value is false, the default value, SecureTransport computes the MD5 checksum after the file transfer is complete.
  8. Create a user class named EncryptClass. Files transferred by users in this class are encrypted. See Add a user class.
  9. Note For server-initiated transfers, the user class is defined by the UID and GID only. If you define the EncryptClass using user name or other attributes, there are limitation on server-initiated transfers. See Encryption and server-initiated transfers.
    Note Repository encryption can also be enabled on an individual account basis. When the setting is specified in the account, the user class is ignored.

  10. Restart the TM Server. See Start and stop servers.
Note If you enable repository encryption, the following SecureTransport functions are not supported: resume PeSIT transfers and pause and resume transfers when SecureTransport is the server.
Note When changing the repository encryption certificate, the Transaction Manager should be restarted in order for the changes to be applied.

Related topics:

Related Links