Shows that FTP+GPG combination cannot be used in place of SFTP – SFTP is still more secure. Also includes a howto document on setting up passwordless SFTP based automated file transfers.

Recently, we needed to setup secure file transfer with a third party that did not support SFTP. Hence we decided to use FTP+GPG – which includes transfer of GPG encrypted files with FTP. For more details on GPG, visit the homepage http://www.gnupg.org/. It can also operate in ‘portable’ mode – from a USB key.

We did not realise that this combination is still significantly less secure that SFTP based transfer. The threats it does not cater to, which SFTP can combat are:

  • Someone can come to know about the username, password used in the connection since this is still being transferred un-encrypted
  • Using this, someone can load their own files into the server which can be designed to either infect the system, or upload malicious information

Even if GPG signatures are used (as we did after coming to know about these shortcomings), there is still the risk of someone replaying the same files that we received. Even this can cause problems in certain situations. Hence, we had to resort to fixing the source IP to combat the problems. Due to using signatures and IP fixing, it all turned out to be more cumbersome, and still less secure.

The best way currently to establish automated file transfers is to do a password-less SFTP. It does not require any password transfer over the network at all, keeps everything encrypted, and: a disgruntled employee who happens to remember a password (in case of password based SFTP) cannot disrupt your services.

This document contains instructions on how to set this up: Password SFTP – How to setup. There is also an online version of the same document. If you have any questions, please post as comments.