Feature Request: PGP

[phooey]

I just used the WS_FTP Professional client. It has integrated OpenPGP such that it will encrypt files destined for a certain server with a certain PGP key, and decrypt them when you pull them down again.

It seemed like a good idea to me, and worth copying.

Phooey

[master.cheung]

I was told today to encrypt files and sftp to this other ftp server...

I just found out exactly this is true: seems ws_ftp pro is the only one that has this pgp-key-integrated-encrypt-and-decrypt feature...

I was hoping filezilla client can also have this function... so one useful case is that when you want to exchange many files with another person - frequently and securely.

[botg]

Why not use SFTP or FTPS? They have built-in encryption.

[charlesartbr]

CuteFTP have the commands "Upload PGPed" and "Download PGPed", is very usefull to transfer files to my server and keep them safe.

This is the only reason why I can't migrate to FileZilla definitly.

[Patte]

If you have SSH access to a server you can use SFTP, which is encrypted.
So no need for PGP-ing Files before upload.

[charlesartbr]

I use PGP in CuteFTP to upload files to my server, this server is shared with some friends, so I encrypt personal files.

[anat]

HIPAA (Health Insurance Portability & Accountability Act) requires that all people’s information has to be double encrypted. One of our partners is using FileZilla. And files with personal information have to be encrypted before transfer. I think, we need to work implementing the PGP capability to the very nice product to make it even better.

[botg]

HIPAA is total bullshit. It's just snake oil used to pacify the dumb masses, making them think their data is secure when in fact is is freely available for the highest bidder.

[da chicken]

HIPAA (Health Insurance Portability & Accountability Act) requires that all people’s information has to be double encrypted.

Not true. It requires that you take reasonable precautions against unauthorized access to data. It makes no mention of such strict technical requirements. Information must be encrypted when being transmitted over an open network. That's all it says. Do any of your partners maintain an open network on the endpoint of their secure data connection? Because that's a HIPPA violation by itself, and idiotic.

More to the point, PGP requires you to transmit a public key. So how do you get it there? SFTP in, transmit the key, encrypt the data, and issue a decrypt command? How does that help? You just sent the decryption key with only one level of encryption!

[botg]

Sensitive data should never be transferred plain. I don't need HIPAA to realize that.

[da chicken]

For a computer expert? No. But trust me, just like they have those "employee's must wash hands" signs in rest rooms and "warning: contents may be hot" on coffee cups, there's a reason these rules exist.

Honestly, what would a hospital care if your medical record got intercepted and copied? The consequences of identity theft have nothing to do with them, so what possible reasoning should they have for spending money encrypting transmissions?

[Dav]

What is the best way to support PGP with Filezilla?

[MoonNSunM]

I would like to reiterate the request for PGP encryption. Here's why -
FTPS encrypts the file only during transport, the file remains unencrypted on the server after upload.
PGP goes beyond, and encrypts the file at all levels. Encryption applies both during transport and after it has been uploaded to the ftp server. Even if the ftp server is hacked, the files remain safe.
PGP encryption includes compression, winzip style, built right in, thereby reducing the file size "on the fly" and reducing ftp upload times while also increasing security.
PGP encryption is designed so that one and only one entity can unencrypt the file. That is the entity with the private key and private password. The file remains reduced in size during download and may be uncrypted "on the fly" once downloaded.

In short, reduces file upload and download size. Prevents eavesdropping, hacking and unauthorized access both during ftp communication and while residing on the ftp server.

[redleg]

I don't understand what the issue is here.

Sure protecting your sensitive data at rest is just as important as while its in transit.. ok, so run PGP or GPG (if public key encryption fits) or use 7-zip to archive (if a shared secret will work better) from the client computer and just encrypt the files before transmitting them via FTP.

How anyone would feel comfortable using some FTP client which "automagically" uses PGP, handling your private key and passphrase is beyond me. No way I would let ws-ftp or cuteftp handle my encryption requirements outside of FTPES and certainly never touch my PGP keys rings and private keys!

[MoonNSunM]

Not an issue, rather a way to improve the tool. I stongly support one's choice not to use the integrated features that can both encrypt/decrypt and upload/download at the same time. I'm suggesting that my choice would be different if this were an available feature. I have to enter my passwords and do the work either way.

So why would my choice be different, let's take a look:

BEFORE (separate FTP and encryption tools):
Two completely different tools OR worse no encryption used.
Extra storage space used pre-upload (one original file, one encrypted file)
User may forget to delete local encrypted file after upload.
11 Easy Steps: 1.OpenPGP, 2.NavigateToFile, 3.Encrypt, 4.ClosePGP, 5.OpenFTP, 6.Navigate to File, 7.ConnectToSite 8.Upload, 9.CloseFTP, 10.NavigateToFile, 11.DeleteExtraFile. Done

AFTER (integrated FTP and encryption tools):
User has a choice, use two separate tools, or use just one tool.
More secure, less storage space, faster task completion.
5 Easier Steps: 1.OpenFTP, 2.NavigateToFile, 3.ConnectToFtp, 4.UploadWithEncryption, 5.CloseFTP. Done

Adding the feature gives users more choices over security and convenience while making Filezilla a more robust and usefull tool.

Thanks for listening and have a great day.