FTP client with file encryption for remote backup?

Discussion in 'Computer Security' started by Tom, Feb 20, 2006.

  1. Tom

    Tom Guest

    Hi,

    I would like to use my ISP's FTP server for backing up my personal files
    from my desktop. I was wondering if there is a tool available (open
    source/freeware if possible) that can automatically encrypt files while
    transfering them to a remote FTP server, so that the files on the remote
    server cannot be used by the ISP.

    Thanks,
    Tom
     
    Tom, Feb 20, 2006
    #1
    1. Advertising

  2. Tom

    Todd H. Guest

    "Tom" <> writes:

    > Hi,
    >
    > I would like to use my ISP's FTP server for backing up my personal files
    > from my desktop. I was wondering if there is a tool available (open
    > source/freeware if possible) that can automatically encrypt files while
    > transfering them to a remote FTP server, so that the files on the remote
    > server cannot be used by the ISP.


    File encryption is what you need. Transport level encryption is moot
    if the goal is to protect admins of the remote machine from doing
    anything with them:

    On *nix, or using cygwin in windows (include gpg in what gets installed):

    tar cvfz somfile.tgz /path/to/backup
    gpg -c somefile.tgz > somefile.tgz.gpg (symmetric key option used for simplicity)
    ftp or scp somefile.tgz.gpg to the ISP



    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 20, 2006
    #2
    1. Advertising

  3. Tom

    ~David~ Guest

    The best that I've come across is FileZilla, found at
    http://filezilla.sourceforge.net/. It's free and open-source, and can do ftp,
    and sftp, which is ran over an ssh server. FTP is not encrypted, so the easiest
    way for security in most cases is to make sure your ISP has an ssh server set up
    so you can use sftp (usually you log in with your normal user/pass). FileZilla
    will let you set up a profile for this, making it a pretty good tool, IMHO.

    ~David~

    Tom wrote:
    > Hi,
    >
    > I would like to use my ISP's FTP server for backing up my personal files
    > from my desktop. I was wondering if there is a tool available (open
    > source/freeware if possible) that can automatically encrypt files while
    > transfering them to a remote FTP server, so that the files on the remote
    > server cannot be used by the ISP.
    >
    > Thanks,
    > Tom
    >
    >
     
    ~David~, Feb 20, 2006
    #3
  4. Tom

    Todd H. Guest

    ~David~ <> writes:
    > Tom wrote:
    > > Hi,
    > >
    > > I would like to use my ISP's FTP server for backing up my personal files
    > > from my desktop. I was wondering if there is a tool available (open
    > > source/freeware if possible) that can automatically encrypt files while
    > > transfering them to a remote FTP server, so that the files on the remote
    > > server cannot be used by the ISP.
    > >
    > > Thanks,
    > > Tom

    >
    > The best that I've come across is FileZilla, found at
    > http://filezilla.sourceforge.net/. It's free and open-source, and can do ftp,
    > and sftp, which is ran over an ssh server. FTP is not encrypted, so the easiest
    > way for security in most cases is to make sure your ISP has an ssh server set up
    > so you can use sftp (usually you log in with your normal user/pass). FileZilla
    > will let you set up a profile for this, making it a pretty good
    > tool, IMHO.


    Actually, the original question is more interesting than the
    relatively simple question of encrypted transport.

    What Tom wants is something that will automagiclaly encrypt the files
    on the fly, and leave them in encrypted form on the target server.
    The concern is not so much one of securing them from being sniffed in
    transit in the clear, but rather to prevent admins of the target
    server from being able to do anything useful with his data that he
    stores there.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 20, 2006
    #4
  5. Why would his ISP want to allow him to do this?

    Encrypted files on their server -- over which they have no access?

    Bonkers...

    DSH

    "Todd H." <> wrote in message
    news:...

    > ~David~ <> writes:
    >> Tom wrote:
    >> > Hi,
    >> >
    >> > I would like to use my ISP's FTP server for backing up my personal
    >> > files
    >> > from my desktop. I was wondering if there is a tool available (open
    >> > source/freeware if possible) that can automatically encrypt files while
    >> > transfering them to a remote FTP server, so that the files on the
    >> > remote
    >> > server cannot be used by the ISP.
    >> >
    >> > Thanks,
    >> > Tom

    >>
    >> The best that I've come across is FileZilla, found at
    >> http://filezilla.sourceforge.net/. It's free and open-source, and can do
    >> ftp,
    >> and sftp, which is ran over an ssh server. FTP is not encrypted, so the
    >> easiest
    >> way for security in most cases is to make sure your ISP has an ssh server
    >> set up
    >> so you can use sftp (usually you log in with your normal user/pass).
    >> FileZilla
    >> will let you set up a profile for this, making it a pretty good
    >> tool, IMHO.

    >
    > Actually, the original question is more interesting than the
    > relatively simple question of encrypted transport.
    >
    > What Tom wants is something that will automagiclaly encrypt the files
    > on the fly, and leave them in encrypted form on the target server.
    > The concern is not so much one of securing them from being sniffed in
    > transit in the clear, but rather to prevent admins of the target
    > server from being able to do anything useful with his data that he
    > stores there.
    >
    > Best Regards,
    > --
    > Todd H.
    > http://www.toddh.net/
     
    D. Spencer Hines, Feb 20, 2006
    #5
  6. Tom

    nemo_outis Guest

    "D. Spencer Hines" <> wrote in
    news:OipKf.76$:

    > Why would his ISP want to allow him to do this?
    >
    > Encrypted files on their server -- over which they have no access?
    >
    > Bonkers...
    >
    > DSH




    There are dozens of such services, including Rapidshare and Megaupload. I
    have uploaded and downloaded literally gigabytes of files to/from such
    places.

    Regards,

    PS The interface is usually HTTP rather than FTP though
     
    nemo_outis, Feb 20, 2006
    #6
  7. Tom

    Todd H. Guest

    "D. Spencer Hines" <> writes:
    > Why would his ISP want to allow him to do this?
    >
    > Encrypted files on their server -- over which they have no access?


    Not "no access." Instead, "No useful access." Sure the file's
    readable to the ISP administrator as root, but it's an encrypted mess
    from which no useful information can be extracted except by the file's
    rightful owner/creator who knows the encryption token (be it password,
    or private key, whatever).

    > Bonkers...


    Um....no, it's called privacy.

    If you want to store an encrypted file on an ISP's servers that
    includes backups of your financial software data, encrypted password
    hashes for all customers to your web application, etc there's no
    (legitimate) reason in the world an ISP shouldn't let you.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 20, 2006
    #7
  8. D. Spencer Hines wrote:

    > Why would his ISP want to allow him to do this?
    >
    > Encrypted files on their server -- over which they have no access?


    Why would an ISP think they had any say so in the matter, as long as the
    OP remained within his contractually agreed upon space allocation limits.

    I find it a little disconcerting that you'd assume someone was guilty
    until proved innocent, or that an ISP had the right to make that
    determination. Last I knew, possession of encrypted data wasn't a crime in
    any civilized jurisdiction.

    > Bonkers...


    A lot of people might say that of YOUR argument. ;)
     
    Borked Pseudo Mailed, Feb 20, 2006
    #8
  9. Arrant Twaddle...

    Great Way For Terrorists To File Data And Plans -- Encrypted -- For Pickup
    By Confederates -- On An ISP FTP Server.

    Don't You Pogues Realize We Are At War?

    Damned, If You Aren't Gullible, Naive Children!

    Now, Go Stand In The Dunces' Corner -- With Your Faces To The Wall.

    DSH

    Lux et Veritas et Libertas

    Veni, Vidi, Calcitravi Asinum
     
    D. Spencer Hines, Feb 20, 2006
    #9
  10. Tom

    Todd H. Guest

    "D. Spencer Hines" <> writes:

    > Arrant Twaddle...
    >
    > Great Way For Terrorists To File Data And Plans -- Encrypted -- For Pickup
    > By Confederates -- On An ISP FTP Server.
    >
    > Don't You Pogues Realize We Are At War?
    >
    > Damned, If You Aren't Gullible, Naive Children!
    >
    > Now, Go Stand In The Dunces' Corner -- With Your Faces To The Wall.
    >
    > DSH


    You're either a troll, being facetious, or a complete imbecile.
    Please indicate which.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 20, 2006
    #10
  11. If you want to encrypt some files -- put them on an FTP Server at an ISP --
    insist that the ISP have no access to them, or anyone else, except as you
    designate and/or control -- I want the Department of Homeland Security to be
    checking into what you are up to -- through the FBI, and other Agencies as
    appropriate.

    DSH

    Lux et Veritas et Libertas
     
    D. Spencer Hines, Feb 21, 2006
    #11
  12. Tom

    Todd H. Guest

    "D. Spencer Hines" <> writes:

    > If you want to encrypt some files -- put them on an FTP Server at an
    > ISP -- insist that the ISP have no access to them, or anyone else,
    > except as you designate and/or control -- I want the Department of
    > Homeland Security to be checking into what you are up to -- through
    > the FBI, and other Agencies as appropriate.


    Okay, that answers it--you're an imbecile. At least on this topic.

    You don't have the requisite knowledge of the legitimate merits of
    "confidentiality" that encryption provides to even be _posting_ in
    alt.computer.security.

    Yes, encryption can be misused by the bad guys. But that's no reason
    to suspect everyone who uses it as being up to something nasty.

    Ever bought something on the web using an SSL secured website? You
    have? Oh my, you terrorist! You actually wanted your credit card
    data encrypted in transit over an ISP? Rogue!

    Ever entered your credit card number, name, home phone, address
    information? Wouldn't you like that company to use strong encryption
    on that database to make sure any $10/hr employee of the ISP hosting
    that store's server (and up to 100's of other company's databases)
    with logical access to that server to be able to read that database?

    Say your health care providers records, or your scholastic aptitude
    tests from gradeschool are on some institutions computers somewhere,
    hosted by an ISP. I suppose you wouldn't want encryption on those to
    prevent the janitor there from downloading the files onto a CD-ROM and
    selling the records en masse to some company looking to profit off of
    the information?

    Or would want the DHS to prohibit that and leave you information
    exposed? Apparently you do, or you seem to want yourself investigate
    by big brother.

    "Any society that would give up a little liberty to gain a little
    security will deserve neither and lose both." Benjamin Franklin

    And in this context where we talk about encryption, liberty is defined
    as the right to keep your information just as private as you want it
    to be, disclosed only to those to whom you have disclosed them, and no
    one else (even the feds).

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 21, 2006
    #12
  13. Nonsense!

    I didn't say anything of the sort.

    Read what I WROTE -- not some anserine STRAWMAN you have conjured up in your
    fevered brain.

    I described quite SPECIFIC circumstances having nothing whatsoever to do
    with your fevered brainfarts.

    Neither did I say no one should be allowed to encrypt anything.

    'Nuff Said.

    DSH

    "Todd H." <> wrote in message
    news:...

    > "D. Spencer Hines" <> writes:
    >
    >> If you want to encrypt some files -- put them on an FTP Server at an
    >> ISP -- insist that the ISP have no access to them, or anyone else,
    >> except as you designate and/or control -- I want the Department of
    >> Homeland Security to be checking into what you are up to -- through
    >> the FBI, and other Agencies as appropriate.


    <baldersnip>

    > Yes, encryption can be misused by the bad guys. But that's no reason
    > to suspect everyone who uses it as being up to something nasty.
    >
    > Ever bought something on the web using an SSL secured website? You
    > have? Oh my, you terrorist! You actually wanted your credit card
    > data encrypted in transit over an ISP? Rogue!


    <baldersnip>
     
    D. Spencer Hines, Feb 21, 2006
    #13
  14. Tom

    Todd H. Guest

    "D. Spencer Hines" <> writes:

    > I described quite SPECIFIC circumstances having nothing whatsoever to do
    > with your fevered brainfarts.



    > > "D. Spencer Hines" <> writes:
    > >
    > >> If you want to encrypt some files -- put them on an FTP Server at an
    > >> ISP -- insist that the ISP have no access to them, or anyone else,
    > >> except as you designate and/or control -- I want the Department of
    > >> Homeland Security to be checking into what you are up to -- through
    > >> the FBI, and other Agencies as appropriate.


    Okay, I'll bite.

    Tell us how your "SPECIFIC circumstances" quoted above are any
    different, or programmatically detectable as any different by any ISP
    than the extensions to that argument that I detail.

    I'm not sure you fully grasp that small businesses use ISPs for web
    application and FTP hosting, and remote file backup just like
    individuals do, and have all the same legitimate reasons to encrypt
    their proprietary data as an individual does.

    Remember this thread started with a guy who simply wanted offsite
    backup of some stuff on his home machine.

    Now tell us, how is an individual's Quicken data file directories, or
    backups of their family photos, or personal journals, love letters,
    etc that they don't want disclosed to the world or the government:

    a) any different in concept than the customer payment database
    of a small business that has a hosted shopping cart and
    payment system, the photos of a trade secret confidential
    prototype, design documentation on trade secret

    b) at all detectable as "different" by an internet service
    provider so they can be flagged for DHS scrutiny in your
    strange little surveillance world

    Even if you were able to define that difference in a), b) is
    techincally impossible to programmatically define. You can't
    differentiate encrypted file a from encrypted file b without some
    organization having a backdoor to the encryption algorithm. You also
    simply don't get the importance of confidentiality, and why you're off
    your rocker for even hinting that the original poster is asking for
    something even remotely subversive in wanting to protect his personal
    computer's backup files from potential disclosure to average joes at
    his ISP.

    However, without this style of ignorance in the world, the history
    books wouldn't have much to write about at the Salem Witch Trials, or
    for the excesses of Senator McCarthy's crusade during the red scare--
    where large numbers of completely innocent people suffered mightily at
    the hand of their government's and weak-minded people's willingness to
    give up the keys to the liberties people have fought and died for.

    But then again, dramatic changes in the times causes people to get
    pretty irrational.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 21, 2006
    #14
  15. D. Spencer Hines wrote:

    > Arrant Twaddle...
    >
    > Great Way For Terrorists To File Data And Plans -- Encrypted -- For Pickup
    > By Confederates -- On An ISP FTP Server.


    You must have let your AFDB support contract lapse. It's obviously
    filtering incorrect wavelengths. :( Those files belong to American agents.
    They're securely transferring terrorist plans recently pilfered from the
    Evul Umpire's secret island hideaway. But here you are suggesting we
    disallow that transfer, thereby causing the deaths of billions of innocent
    people.

    Way to go, Ace. <snicker>

    >
    > Don't You Pogues Realize We Are At War?


    Don't you realize you're helping them win? Puppeting yourself to their
    whims by willfully giving up what they might otherwise have to take by
    force? Specifically, your freedom. And for absolutely no benefit to your
    safety or security what so ever.

    You're what those terrorists refer to as a "useful idiot".

    > Damned, If You Aren't Gullible, Naive Children!


    I see. You think terrorists are going to be in any way encumbered by not
    allowing people to store encrypted files in their own account space, but
    every one else is "naive".

    You really *don't* know much about this stuff, do you?

    Truth be known, transferring files this way, even encrypted files, is a
    pretty piss poor way of getting the job done considering all the better
    options there are. You're tying all your files to an account right off the
    bat, then leaving them hanging in mid air for some unspecified amount of
    time. That leaves not only the people accessing the files, but the files
    themselves vulnerable to attack.

    Serious terrorists wouldn't be using anything so woefully insecure as any
    normal Internet connection to begin with. That's a made-for-TV fantasy
    you're using to prop up your amusing paranoia right from the get go. And
    if they did find themselves in the position of being forced to communicate
    via such insecure means, you can bet bottom dollar it would be ephemeral
    and real time. There's just too many easy options and they're *way* more
    secure.

    By your misguided illogic, the better way to fight terrorism would be to
    outlaw SSL. But do we see you wetting yourself over people who bank on
    line? No, just PGP users and other "naive" citizens. <chuckle>

    > Now, Go Stand In The Dunces' Corner -- With Your Faces To The Wall.


    Can I borrow your pointy hat? :)
     
    Borked Pseudo Mailed, Feb 21, 2006
    #15
  16. Tom

    ~David~ Guest

    It seems that what you want is encryption to the disk ON the file server.
    Assuming the legality and politics work out (ISP's let you store data, and it
    should be whatever data you want to store, so long as its with in your quota
    limits) there are two ways I can think of.

    One is to encrypt the data on your systems before it is sent over. This seems
    to be the most realistic solution at the moment, as it doesn't require any work
    or coordination with your ISP.

    The second way, which is what I believe you conceptually want, is to transfer
    the files and have them encrypted AT the ISP server. This would probably
    involve a _lot_ of bash/tsh (assuming your ISP uses unix/linux) scripting along
    with gnupg, assuming it is installed on your ISP's server or they give you
    permission to install it... Your script would have to detect every file
    transfered through scp/sftp and after its transfered run it through "gpg -c
    <other options> file.name" and you would have to store a key on the server.

    Encrypting it prior to transmission is probably the easiest thing to do. Then
    you won't have to bother with sftp and you can use plain FTP. Maybe someday one
    of the openSSL or gnupg devs will come up with something easier, or maybe
    something like this exists already?

    ~David~

    Tom wrote:
    > Hi,
    >
    > I would like to use my ISP's FTP server for backing up my personal files
    > from my desktop. I was wondering if there is a tool available (open
    > source/freeware if possible) that can automatically encrypt files while
    > transfering them to a remote FTP server, so that the files on the remote
    > server cannot be used by the ISP.
    >
    > Thanks,
    > Tom
    >
    >
     
    ~David~, Feb 22, 2006
    #16
  17. ~David~ wrote:

    > One is to encrypt the data on your systems before it is sent over. This


    The only acceptable way.

    > The second way, which is what I believe you conceptually want, is to
    > transfer the files and have them encrypted AT the ISP server. This would
    > probably involve a _lot_ of bash/tsh (assuming your ISP uses unix/linux)
    > scripting along with gnupg, assuming it is installed on your ISP's server


    <snip>

    Utterly useless. If the files are encrypted at the destination it means
    that both the encryption keys and/or pass phrase are available to anyone
    with rights on that server. That could include nefarious tech support
    people, foreign spies, or anything in between. Your data is only slightly
    more secure than cleartext. At least your grandmother wouldn't be able to
    read it, assuming she's only a stereotypical grandmother. ;)

    > Encrypting it prior to transmission is probably the easiest thing to do.
    > Then you won't have to bother with sftp and you can use plain FTP. Maybe


    Transferring encrypted files securely still has benefits. An eves dropper
    wouldn't be able to determine which files are being transfered for
    instance. Sometimes file contents aren't the only avenue of attack. It
    would still be preferable to move them about via SSL or similar.
     
    Borked Pseudo Mailed, Feb 22, 2006
    #17
  18. Tom

    ~David~ Guest

    Borked Pseudo Mailed wrote:
    > ~David~ wrote:
    >
    >> One is to encrypt the data on your systems before it is sent over. This

    >
    > The only acceptable way.
    >
    >> The second way, which is what I believe you conceptually want, is to
    >> transfer the files and have them encrypted AT the ISP server. This would
    >> probably involve a _lot_ of bash/tsh (assuming your ISP uses unix/linux)
    >> scripting along with gnupg, assuming it is installed on your ISP's server

    >
    > <snip>
    >
    > Utterly useless. If the files are encrypted at the destination it means
    > that both the encryption keys and/or pass phrase are available to anyone
    > with rights on that server. That could include nefarious tech support
    > people, foreign spies, or anything in between. Your data is only slightly
    > more secure than cleartext. At least your grandmother wouldn't be able to
    > read it, assuming she's only a stereotypical grandmother. ;)

    If a good enough password is used with the key it will make the security
    stronger. But encrypting them before hand is still the best way.

    >> Encrypting it prior to transmission is probably the easiest thing to do.
    >> Then you won't have to bother with sftp and you can use plain FTP. Maybe

    >
    > Transferring encrypted files securely still has benefits. An eves dropper
    > wouldn't be able to determine which files are being transfered for
    > instance. Sometimes file contents aren't the only avenue of attack. It
    > would still be preferable to move them about via SSL or similar.
    >

    I agree but if the ISP doesn't have and won't set up SSL/ssh then he may have to
    use FTP anyway.
     
    ~David~, Feb 22, 2006
    #18
  19. ~David~ wrote:

    >> Utterly useless. If the files are encrypted at the destination it means
    >> that both the encryption keys and/or pass phrase are available to anyone
    >> with rights on that server. That could include nefarious tech support
    >> people, foreign spies, or anything in between. Your data is only
    >> slightly more secure than cleartext. At least your grandmother wouldn't
    >> be able to read it, assuming she's only a stereotypical grandmother. ;)

    >
    > If a good enough password is used with the key it will make the security
    > stronger. But encrypting them before hand is still the best way.


    No. Your password strength is completely meaningless in this scenario
    because for encryption to be done remotely that password MUST somehow be
    transmitted to the remote machine, in a usable form. IOW, you MUST give
    them your password willingly, in the clear as far as they're concerned.
    There simply is no other way for them to "enter" it
     
    Borked Pseudo Mailed, Feb 22, 2006
    #19
  20. Hilarious!

    DSH

    "Borked Pseudo Mailed" <> wrote in message
    news:...

    > ~David~ wrote:
    >
    >>> Utterly useless. If the files are encrypted at the destination it means
    >>> that both the encryption keys and/or pass phrase are available to anyone
    >>> with rights on that server. That could include nefarious tech support
    >>> people, foreign spies, or anything in between. Your data is only
    >>> slightly more secure than cleartext. At least your grandmother wouldn't
    >>> be able to read it, assuming she's only a stereotypical grandmother. ;)

    >>
    >> If a good enough password is used with the key it will make the security
    >> stronger. But encrypting them before hand is still the best way.

    >
    > No. Your password strength is completely meaningless in this scenario
    > because for encryption to be done remotely that password MUST somehow be
    > transmitted to the remote machine, in a usable form. IOW, you MUST give
    > them your password willingly, in the clear as far as they're concerned.
    > There simply is no other way for them to "enter" it
     
    D. Spencer Hines, Feb 22, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    Which hard drive encryption program has the strongest tested encryption & security?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    4,018
    Kornholio
    Feb 20, 2008
  2. D. Spencer Hines

    Re: FTP Client With File Encryption For Remote Backup?

    D. Spencer Hines, Feb 21, 2006, in forum: Computer Security
    Replies:
    3
    Views:
    455
    Borked Pseudo Mailed
    Feb 21, 2006
  3. D. Spencer Hines

    Re: FTP Client With File Encryption For Remote Backup?

    D. Spencer Hines, Feb 23, 2006, in forum: Computer Security
    Replies:
    2
    Views:
    404
    D. Spencer Hines
    Feb 23, 2006
  4. Giuen
    Replies:
    0
    Views:
    1,531
    Giuen
    Sep 12, 2008
  5. Tom
    Replies:
    1
    Views:
    630
    John Holmes
    Oct 12, 2008
Loading...

Share This Page