SFTP & GPG

SFTP

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. It runs over the SSH protocol. It supports the full security and authentication functionality of SSH.

SFTP has pretty much replaced legacy FTP as a file transfer protocol, and is quickly replacing FTP/S. It provides all the functionality offered by these protocols, but more securely and more reliably, with easier configuration. There is basically no reason to use the legacy protocols any more.

SFTP also protects against password sniffing and man-in-the-middle attacks. It protects the integrity of the data using encryption and cryptographic hash functions, and autenticates both the server and the user.

Login SFTP with pass phrase

  • Install expect

    # Ubuntu
    sudo apt install expect 
    
    # RH/CentOS
    sudo yum install expect
    
  • Set passphrase to global variable

    export PASSPHRASE=Your_Secret_Pass
    
  • Create a script - sftp.sh

    
    expect -c "
    spawn sftp  -oPORT=9022 -oIdentityFile=~/.ssh/Your_SSH_Private_Key  -oPasswordAuthentication=no USER_ID@your.sftp.server.com
    expect \"*\"
    expect \"*\"
    expect \"*\"
    expect -nocase \"*passphrase*\" { send \"$PASSPHRASE\r\"; interact }
    "
    

GPG

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Generate GPG key pair

  • Generate key pair

    # Open terminal & run command below
    gpg --gen-key
    
    # Select RSA from options
    
    Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    
    # Use 4096
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    
    # Pick option 0  
    Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    
    # Enter user id, email and comment
    GnuPG needs to construct a user ID to identify your key.
    
    Real name: [Your_User_ID]
    Email address: [Your_email@email.com]
    Comment: {Your_comment]
    
    # Enter passphase & confirm it
    You need a passphase to protect your secret key
    
    Enter passphase: [your_passphase]
    Repeat passphase: [your_passphase]
    
    
    

Export public key

  • The third party requires your public key to decrypt your message, so you need to export public key.

    gpg --armor --output [export_file_name]  --export [your_user_id]
    
    ## get finger print 
    ggp --fingerprint
    
    
  • Pass your public key and fingerprint to the third party

Import public key

  • Import public key file

    gpg --import [public_key_file]
    
  • Sign the public key with your priviate key

    ## Get user id of public key
    gpg --list-keys
    
    gpg --sign-key [public_key_user_id]
    
    ## Confirm to sign
    Really sgin? (Y/N) Y
    
    ## Enter passphase 
    Enter passphase: [your_pass_phase]
    
    
  • Update the trust level

    gpg --edit-key [public_key_user_id]
    
    ## Enter trust after the command prompt
    Command> trust
    
    ## Choose option 5 
    Please decide how far you trust this user to correctly
    verify other users' keys (by looking at passports,
    checking fingerprints from different sources...)?
    
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    s = I trust ultimately
    m = back to the main menu
    
    Your decision? 5
    
    # Enter q to quit
    Command> q
    
    

PGP Encryption

  • Encrypt a file

    gpg --armor --encrypt \
    --recipient [public_key_user_id] --sign --local-user [your_user_id] \
    --output [encrypted_filename]
    
    ## Enter passphase
    Enter passphase: [your_passphase]
    

PGP Decryption

  • Decrypt a file

    gpg --armor [decrpyted_filename] --decrypt [encrypted_filename]
    
    ## Enter passphase
    Enter passphase: [your_passphase]