PGP vs SFTP

[Axoliien]

We are currently using some data transmission with unencrypted files over SFTP, and others with PGP encrypted files over FTP. I wonder what are the pros and cons to using each, or if there really is any major difference when it comes to application design or scripting? My only suggestion has been that we are able to keep copies of our encrypted files in a more secure manner than flat files, but I haven't seen any differences in scripting or usage in applications. Any enlightenment would be helpful.

 

[oog]

the authentication step in FTP is not secure and therefore anyone can potentially find your credentials and muck around with your files.

 

[Nothinman]

Depending on your requirements storage of the encrypted file could be a huge advantage over SFTP however having to manage the keys is usually a con. With SFTP most people don't worry about the keys a whole lot, you cache a copy the first time you login and the client verifies it automatically at each transmission.

I've only ever used the cli tools for GPG, not PGP, but I would imagine they're similar and not difficult to script.

 

[Dravic]

Originally posted by: Axoliien
We are currently using some data transmission with unencrypted files over SFTP, and others with PGP encrypted files over FTP. I wonder what are the pros and cons to using each, or if there really is any major difference when it comes to application design or scripting? My only suggestion has been that we are able to keep copies of our encrypted files in a more secure manner than flat files, but I haven't seen any differences in scripting or usage in applications. Any enlightenment would be helpful.

Only differences I could see.

Sftp/scp ? more of the transmission is encrypted not just the data payload, but the payload is left on the remote server unencrypted. Do you trust the host as much as the person it was intended for?

Pgp ? payload encrypted all the way to its final destination (user), and not just to the host. Ftp is very insecure, your credentials of the transmission (username/password) are in plain text. Is the remote system secure. Does the person receiving your pgp file store their keys in a text file in the same directory. (you?d be surprised)


I cant image the server doesn?t also have ssh, I would sftp/scp the pgp encrypted files.

 

[sourceninja]

We actually have a ban on ftp on our systems. scp/sftp is the only method of transfering files to and from the server (well rsync I supose and svn checkouts)

 

[QuixoticOne]

Ftp is insecure in data transport, and can be difficult to set up securely in terms of user permissions and sandboxing on the server side. Managing server side user accounts can be a bit painful too. It is a somewhat simpler protocol in that it doesn't involve encryption, so if you don't trust encryption implementations then in a way it could be less vulnerable to encryption code related problems. Overall though it is pretty obsolete with lots of disadvantages and few advantages. It is easy enough to script / program / deploy, though probably not as easy to write good/modern code to implement as a more modern protocol which might have a more advanced library set.

SSH/SCP is probably one of the most trustworthy things to use since it is in heavy use for the past several decades. It is nicely configurable, there are lots of portable clients and servers out there for it. It only fairly rarely has security vulnerabilities in the major implementations, maybe once or twice every couple of years.
It is very easy to script or implement based on lots of libraries / implementations available in open source.

RSYNC can and usually does run over SSH to synchronize / mirror file sets more intelligently. SCP alone however is pretty powerful when you just want to send all files in a list or all files in a recursive tree to the remote.

SFTP is rather uncommon compared to FTP / SCP, but it is common enough that you can certainly find code / implementations for it. I get the feeling the applications / server code tends to be on the older side and not quite as frequently updated / maintained as say SSH/SCP would be. Managing server side file permissions / accounts is one variable in implementations. Scripting is relatively easy, but the capacities of the protocol are a bit limited and sometimes a bit OS / implementation dependent.

I'd go with SCP when possible.

Or you could send it over a HTTPS connection securely via a web service and client side POST software or even a full client side upload manager. The only real advantage here is possibly taking advantage of the commonality of existing HTTP server infrastructure and of course the ubiquity of client side web service / HTTPS / SOAP / et. al. libraries.

Of course you could use SMTP/TLS for an authentication, transport, and security solution, though the ability to do things like mirror sets of files and do interactive directories and so on are limited. It is an easy way to get a file securely from one spot to another though using common infrastructure in the client and server.