Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SFTP and PGP?

 
fred rosenberger
lowercase baba
Bartender
Posts: 12149
31
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Looking for opinions...

I am working with a vendor. Currently, we PGP encrypt files when we send to them. They are requesting that we change to SFTP. That's all fine. However, they say that they consider the "best practice" to be using BOTH SFTP and PGP encryption of the file.

Am I missing something? To me, that seems like gilding the lily, but I'm willing to listen if anyone knows otherwise...
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't say what medium you currently use to transfer the files but I assume it is some unencrypted channel such as FTP or Email. If so then the primary protection comes from the protection of the PGP private keys. An attacker therefore has to gain access to the RX computer and then get access to the PGP private key to gain access to the secret files.

If the SSH connection over which the SFTP runs is authenticated using (username,password) pairs then this is fairly weak so it would definitely be an advantage to also PGP encrypted files. If one uses public key authentication to access the RX computer using SSH /SFTP then on the surface also PGP encrypting is overkill but does it hurt? I think not. It still means that if the RX computer is compromised an attacker still has to get access to the PGP private key

One weakness you have not covered is possible access to the unencrypted files on either the TX or RX computers. To my mind this is the real weakness.

If I were involved I would keep the customer happy and do whatever he asks as long as it does not actually compromise security.
 
fred rosenberger
lowercase baba
Bartender
Posts: 12149
31
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so I am not an expert at all. These are some kind of financial records going from my corporation to Vanguard.

Currently, we use a straight FTP connection, with the files PGP encrypted.

We are moving away from PGP, and trying to go to more SFTP connections. We use either public/private pre-shared keys, or sometimes a normal user id/pw.

Both machines are behind their respective company's firewall. Vanguard is going to open up theirs to our IP.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While ever "id/pw." authentication is allowed I would PGP encrypt.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic