Encryption

Requests to the server, including usernames, passwords, and file paths, are always protected by AES encryption.

Clients may also request content encryption.  Refer to the documentation for MTPexpedat, DropDat, movedat, or syncdat for details.

Administrators wishing to ensure that data content is always encrypted can enable the server's RequireEncrypt option.  When this is enabled, transactions without content encryption will be rejected with an error telling the user that they must enable encryption.

Using encryption will increase the CPU load of both the server and the client computers which may cause a reduction in performance.  On modern CPUs, about one available CPU core is needed to support each gigabit per second of encrypted throughput.

Administrators wishing to prevent content encryption can disable the server's AllowEncrypt option.  When this option is disabled, transactions requesting content encryption will be rejected with an error telling the user that content encryption is not supported.  Request data, including usernames, passwords, and file paths, are always encrypted regardless of this or other settings.

For more general information about application security, see Tech Note 0016.

Security Spaces

A security space is a group of servers and the clients which are permitted to talk to those servers.  A server will not allow transactions from a client which is not a member of one of that server's security spaces.  A client cannot perform transactions with a server which is not a member the client's security space.

Most ExpeDat licenses belong to the "DEI" security space, which allows interoperability between all standard ExpeDat clients and servers. 

Customers wishing to restrict access more than the usual username and password authentication may request a private security space.  With a private security space, only those clients issued to that customer may access that customer's servers.