Skip to main content

Enabling SFTP

SFTP is the premier protocol used for file transfers. It is very secure (if configured properly) and it is preferred by most funding agencies. There is a multitude of SFTP clients both free/open source and commercial that provide a great convenience for transferring large amounts of data.

Using the SFTP gateway is by far the most efficient mechanism to move data from the outside into a virtual machine.

To ensure the security of the system, the VM Controller tightly controls the SSH/SFTP settings, primarily to prevent the following:

  • Un-audited/un-authorized data exfiltration

  • Console access outside tiCrypt mechanisms

It does so by disabling all the SSH features except SFTP and by placing SFTP in "write-only" mode (no file reads). Effectively, the SFTP client will be able to see the directory structure, create new directories, and create new files but it will not be able to read any existing file.

Linux instructions

Most Linux distributions install by default OpenSSH and set it to start automatically. These instructions are specific to CentOS/Redhat 7.0 but similar instructions work for other Linux variants.

Only two steps need to be performed for Linux:

  1. Disable the OpenSSH server to allow the VM Controller to grab port 22 using +systemctl disable sshd+

  2. Set sftpEnabled = true in the [tunnel] section in the VM configuration file: /etc/ticrypt/controller.toml

If step 1 is not performed, the VM controller will not start correctly.

Windows instructions

First, OpenSSH must be installed. You can find excellent instructions from https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

The rest of the setup instructions are:

  1. Edit the image configuration file C:\'Program Files'\'Tera Insights'\'tiCrypt VM Controller'\controller.toml

    1. Set sftpEnabled = true in the [tunnel] section.

    2. Set sshDirPath to the path to the directory where OpenSSH is installed, which should contain at least sshd.exe and ssh-keygen.exe.

  2. Disable the automatic start of openSSH if set.

  3. Run the following command, as Administrator, to grant the VM controller service the permissions that OpenSSH needs to impersonate other users:

sc.exe privs ticrypt-vm-controller SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege

In step 1.b, if the OpenSSH bin directory is already on the PATH, you do not need to set sshDirPath

If step 2 is not performed, the VM controller will not start correctly.