Table of Contents
- IBM Aspera Encryption Requirements at EMBL-EBI (2025 Update)
IBM Aspera Encryption Requirements at EMBL-EBI (2025 Update)
Recommended settings for secure and high-performance data transfers
EMBL-EBI systems support very high-throughput Aspera transfers (up to 100 Gbps).
To ensure both security and performance, users must configure Aspera to use the correct encryption mode when accessing non-public data, and should disable encryption entirely when downloading fully public data.
This document explains:
- Which encryption mode to use and when
- How to update your settings in Aspera Connect GUI
- How to configure ASCLI and ascp
- Performance differences between ciphers
- What to do if you are using older or deprecated settings
1. Summary of EMBL-EBI encryption policy
Private / protected data
✔ Use AES-128-GCM
✔ AES-128-GCM is required
✘ AES-128-CFB is deprecated and must not be used
Public data (e.g., fasp-public, fasp-ml, era-fasp)
✔ Recommended: disable encryption (none)
This provides the highest possible throughput when downloading data that is already publicly available through other channels. IBM Aspera indicates that this option does not encrypt data in transit. For security and to keep the file integrity, avoid the use of this setting.
Public-data accounts do not access sensitive data; enabling encryption provides no additional security benefit and reduces performance for all users of the system.
2. Why AES-128-GCM?
GCM is faster and secure
- Uses AES-NI hardware acceleration
- Lower CPU overhead
- Integrity protection built in
- Recommended by IBM Aspera for modern deployments
- Matches the performance of unencrypted transfers when bandwidth is not the bottleneck
CFB is deprecated
- Does not use AES-NI
- Much slower at high throughput
- Causes unnecessary CPU load on shared servers
- Leads to reduced performance for all users on the same system
- IBM Aspera no longer recommends using CFB for any high-speed transfer environment
3. Updating settings in Aspera Connect GUI
3.1 Steps
- Open Aspera Connect
- Go to Connections
- Select your EMBL-EBI entry
- Click Edit
- Open the Security tab
- Set Encryption to:
- AES-128-GCM for private/protected data
- none for public-data accounts (e.g., fasp-public, fasp-ml, era-fasp)
3.2 Screenshot
4. ASCLI examples
4.0 Create presets
# Check no config exists
root@jmr ~/aspera # cat /root/.aspera/ascli/config.yaml
cat: /root/.aspera/ascli/config.yaml: No such file or directory
# Create first preset, which creates the config file
root@jmr ~/aspera # ./ascli config preset update fasp-public --ssh-options=@json:'{"use_agent": false}' --url=ssh://fasp.ebi.ac.uk:33001 --username=fasp-public --ssh_keys=public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key
W, [2025-11-19T15:27:42.138403 #3235913] WARN -- : No config file found. New configuration file: /root/.aspera/ascli/config.yaml
Updated: fasp-public
Saving config file.
# Declare cipher as NONE
root@jmr ~/aspera # ./ascli config preset update fasp-public --ts=@json:'{"cipher":"none"}'
Updated: fasp-public
Saving config file.
# Create second preset
root@jmr ~/aspera # ./ascli config preset update fasp-public-gcm --ssh-options=@json:'{"use_agent": false}' --url=ssh://fasp.ebi.ac.uk:33001 --username=fasp-public --ssh_keys=public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key
Updated: fasp-public-gcm
Saving config file.
# Configure encryption to aes-128-gcm, the list of options can be found at https://github.com/IBM/aspera-cli
root@jmr ~/aspera # ./ascli config preset update fasp-public-gcm --ts=@json:'{"cipher":"aes-128-gcm"}'
Updated: fasp-public-gcm
Saving config file.
# Show configs
root@jmr ~/aspera # ./ascli config folder
/root/.aspera/ascli
root@jmr ~/aspera # cat /root/.aspera/ascli/config.yaml
---
config:
version: 4.23.0
fasp-public:
ssh_options:
use_agent: false
url: ssh://fasp.ebi.ac.uk:33001
username: fasp-public
ssh_keys: public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key
fasp-public-gcm:
ssh_options:
use_agent: false
url: ssh://fasp.ebi.ac.uk:33001
username: fasp-public
ssh_keys: public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key
ts:
cipher: aes-128-gcm
# Show configs with the tool
root@jmr ~/aspera # ./ascli config preset show fasp-public
╭───────────────────────┬────────────────────────────╮
│ field │ value │
╞═══════════════════════╪════════════════════════════╡
│ ssh_options.use_agent │ false │
│ url │ ssh://fasp.ebi.ac.uk:33001 │
│ username │ fasp-public │
│ ssh_keys │ ???? │
│ ts.cipher │ none │
╰───────────────────────┴────────────────────────────╯
root@jmr ~/aspera # ./ascli config preset show fasp-public-gcm
╭───────────────────────┬────────────────────────────╮
│ field │ value │
╞═══════════════════════╪════════════════════════════╡
│ ssh_options.use_agent │ false │
│ url │ ssh://fasp.ebi.ac.uk:33001 │
│ username │ fasp-public │
│ ssh_keys │ ???? │
│ ts.cipher │ aes-128-gcm │
╰───────────────────────┴────────────────────────────╯
root@jmr ~/aspera #4.1 Downloading public data (recommended: no encryption)
Example using the public-ebi preset:
root@jmr ~/aspera # ./ascli --preset=fasp-public server download /vol1/.welcome
Time: 00:00:01 ============================================================================================================= 100% 0 Mbps Time: 00:00:01
4.2 Downloading protected data (AES-128-GCM required)
(The user has only been used as example, there is no expectation to download public data with a cipher transport)
root@jmr ~/aspera # ./ascli --preset=fasp-public-gcm server download /vol1/.welcome
Time: 00:00:01 ============================================================================================================= 100% 0 Mbps Time: 00:00:01
root@jmr ~/aspera #
4.3 Uploading protected data (AES-128-GCM required)
# ./ascli config preset update webin --ssh-options=@json:'{"use_agent": false}' --url=ssh://fasp.ebi.ac.uk:33001 --username=Webin-256 --password='REDACTED'
Updated: webin
Saving config file.
root@jmr ~/aspera # ./ascli config preset show webin
╭───────────────────────┬────────────────────────────╮
│ field │ value │
╞═══════════════════════╪════════════════════════════╡
│ ssh_options.use_agent │ false │
│ url │ ssh://fasp.ebi.ac.uk:33001 │
│ username │ Webin-256 │
│ password │ ???? │
╰───────────────────────┴────────────────────────────╯
# Define the cipher for the preset
root@jmr ~/aspera # ./ascli config preset update webin --ts=@json:'{"cipher":"aes-128-gcm"}'
Updated: webin
Saving config file.
# Ensure we will be able to create folders
# ./ascli config preset update webin --ts=@json:'{"create_dir":true}'
Updated: webin
Saving config file.
root@jmr ~/aspera # ./ascli config preset show webin
╭───────────────────────┬────────────────────────────╮
│ field │ value │
╞═══════════════════════╪════════════════════════════╡
│ ssh_options.use_agent │ false │
│ url │ ssh://fasp.ebi.ac.uk:33001 │
│ username │ Webin-256 │
│ password │ ???? │
│ ts.create_dir │ true │
╰───────────────────────┴────────────────────────────╯
root@jmr ~/aspera #
# Upload the file
# ./ascli --preset=webin server upload 100MB --to-folder=/Upload/
Time: 00:00:07 =========================================================================================================== 100% 114 Mbps Time: 00:00:07
root@jmr ~/aspera #
5. ascp examples
5.0 Prepare environment
root@jmr ~/aspera # mkdir ascp
root@jmr ~/aspera # mv ibm-aspera-transfer-sdk-linux-amd64-1.1.6.tar.gz ascp
root@jmr ~/aspera # cd ascp
root@jmr ~/aspera/ascp # tar -zxvf ibm-aspera-transfer-sdk-linux-amd64-1.1.6.tar.gz
[... unzip..]
root@jmr ~/aspera/ascp # cd ..
root@jmr ~/aspera # cp ascp/ibm-aspera-transfer-sdk-linux-amd64-1.1.6/bin/ascp .
root@jmr ~/aspera # ./ascp -A
Product version information not found.
ascp version 4.4.6.2033 31ae48a
Operating System: Linux
AES-NI Supported
'aspera-license' could not be found in '/root/etc'
root@jmr ~/aspera #
# Fix the license
root@jmr ~/aspera # mkdir /root/etc/
root@jmr ~/aspera # cp ./ascp/ibm-aspera-transfer-sdk-linux-amd64-1.1.6/etc/aspera-license /root/etc/
root@jmr ~/aspera # ./ascp -A
Product version information not found.
ascp version 4.4.6.2033 31ae48a
Operating System: Linux
AES-NI Supported
License max rate=(unlimited), account no.=1, license no.=56
Enabled settings: stream and sync2
root@jmr ~/aspera #
# Check the options in your binary
root@jmr ~/aspera # ./ascp --help | grep -E "cipher|encrypt|in-transit"
-T Disable encryption
-c CIPHER File data cipher: aes128, aes192, aes256,
--file-crypt=CRYPT CRYPT: encrypt,decrypt
root@jmr ~/aspera #5.1 Public data (disable encryption)
root@jmr ~/aspera # ./ascp -T -P 33001 -i public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key fasp-public@fasp.ebi.ac.uk:/vol1/.welcome ./
.welcome 100% 31 00:00
Completed: 0K bytes transferred in 0 seconds
(0K bits/sec), in 1 file.
root@jmr ~/aspera #
5.2 Protected data (AES-128-GCM)
(The user fasp-public has been used as example, as it is used to download public data does not require cipher)
root@jmr ~/aspera # ./ascp -c aes128 -P 33001 -i public_accounts_rsa_sha2_256_keypair/id_rsa_ebi_public.key fasp-public@fasp.ebi.ac.uk:/vol1/.welcome ./
.welcome 100% 31 00:00
Completed: 0K bytes transferred in 0 seconds
(0K bits/sec), in 1 file.
root@jmr ~/aspera #
While not clearly flagged as GCM cipher, the following can be seen in the server logs
Nov 19 15:02:52 hlvlpxferasp001 ascp[813914]: LOG FASP Session Params uuid=d332a84d-16eb-4b52-ba1e-6c19d7dc162d userid=0 user="fasp-public" targetrate=200000000 minrate=0 rate_policy=fair cipher=aes-128-gcm resume=0 create=0 extra_create=0 ovr=1 times=0 precalc=yes precalc_disable=false mf=0 mf_path=- mf_suffix=.aspera-inprogress partial_file_suffix=.partial files_encrypt=no files_decrypt=no file_csum=NONE dgram_sz=0 tcp_mode=no rtt_auto=yes cookie="-" vl_proto_ver=1 peer_vl_proto_ver=1 vl_local=9000000000 vlink_remote=0 vl_sess_id=3854 srcbase=- rd_sz=0 wr_sz=0 cluster_num_nodes=1 cluster_node_id=0 cluster_multi_session_threshold=-1 range=0-0 keepalive=no test_login=no proxy_ip=- net_rc_alg=alg_delay exclude_older/newer_than=0/0 xfer_id=-
# cipher=aes-128-gcm , which is what is expected. 6. Performance comparison
Aspera performance is limited by CPU, not by bandwidth, in high-speed environments like EMBL-EBI (100 Gbps network, 48-vCPU VMware transfer hosts).
Measured transfer performance (10 runs per cipher):
| Cipher | Approx Throughput | Notes |
|---|---|---|
| none | ~170–175 Mbps | Maximum achievable in test setup |
| AES-128-GCM | ~168–175 Mbps | Uses AES-NI hardware acceleration |
| AES-128 | ~150–165 Mbps | Slower, but acceptable |
| AES-128-CFB | Significantly lower | Deprecated; no hardware acceleration |
Graphical summary (higher = better)
none ██████████████████████ ~175 Mbps
AES-128-GCM ████████████████████ ~171 Mbps
AES-128 █████████████████ ~160 Mbps
AES-128-CFB ███████████ (low, deprecated)
Conclusion
- GCM matches the performance of unencrypted transfers
- CFB severely degrades throughput
- CFB usage has a negative impact on the shared system used by all EMBL-EBI users
- IBM Aspera documentation confirms that CFB is not recommended when the CPU is the limiting factor
7. Impact on current users
We have observed that some transfers made using public accounts (fasp-public, fasp-ml, era-fasp) are still using AES-128-CFB.
For these use cases, encryption provides no security benefit, and using CFB reduces performance for:
- the user themselves
- all other users on the shared transfer nodes
For public data downloads, please switch to --cipher=none to achieve optimal performance.
For users accessing protected data:
Your account sponsor or project manager will be notified separately if your configuration requires an update.
8. Troubleshooting
8.1 How do I check which cipher I’m using?
Enable verbose logging and inspect the session: ascp -v …
Look for: cipher: aes-128-gcm
If you see: cipher: aes-128-cfb
You must update your configuration.
8.2 What if my client does not support GCM?
Update to the latest IBM Aspera Connect or ASCLI version. (see Related resources)
Older clients may silently fall back to CFB.
8.3 I download public ENA/UniProt data — do I need encryption?
No. Public-data transfers should use:
# Depending on the binary used
--cipher=none
-T
--ts=@json:'{"cipher":"none"}' This improves throughput for both you and other users.
9. Summary
| Data type | Recommended cipher | Reason |
|---|---|---|
| Private / protected | AES-128-GCM | Secure, fast, hardware-accelerated |
| Public | none | No security benefit & highest possible performance |
Using AES-128-CFB is discouraged and may negatively impact the EMBL-EBI transfer service.