FTP client with file encryption for remote backup?

Discussion in 'Computer Security' started by Tom, Feb 20, 2006.

  1. Tom

    Tom Guest


    I would like to use my ISP's FTP server for backing up my personal files
    from my desktop. I was wondering if there is a tool available (open
    source/freeware if possible) that can automatically encrypt files while
    transfering them to a remote FTP server, so that the files on the remote
    server cannot be used by the ISP.

    Tom, Feb 20, 2006
    1. Advertisements

  2. Tom

    Todd H. Guest

    File encryption is what you need. Transport level encryption is moot
    if the goal is to protect admins of the remote machine from doing
    anything with them:

    On *nix, or using cygwin in windows (include gpg in what gets installed):

    tar cvfz somfile.tgz /path/to/backup
    gpg -c somefile.tgz > somefile.tgz.gpg (symmetric key option used for simplicity)
    ftp or scp somefile.tgz.gpg to the ISP
    Todd H., Feb 20, 2006
    1. Advertisements

  3. Tom

    ~David~ Guest

    The best that I've come across is FileZilla, found at
    http://filezilla.sourceforge.net/. It's free and open-source, and can do ftp,
    and sftp, which is ran over an ssh server. FTP is not encrypted, so the easiest
    way for security in most cases is to make sure your ISP has an ssh server set up
    so you can use sftp (usually you log in with your normal user/pass). FileZilla
    will let you set up a profile for this, making it a pretty good tool, IMHO.

    ~David~, Feb 20, 2006
  4. Tom

    Todd H. Guest

    Actually, the original question is more interesting than the
    relatively simple question of encrypted transport.

    What Tom wants is something that will automagiclaly encrypt the files
    on the fly, and leave them in encrypted form on the target server.
    The concern is not so much one of securing them from being sniffed in
    transit in the clear, but rather to prevent admins of the target
    server from being able to do anything useful with his data that he
    stores there.

    Best Regards,
    Todd H., Feb 20, 2006
  5. Why would his ISP want to allow him to do this?

    Encrypted files on their server -- over which they have no access?


    D. Spencer Hines, Feb 20, 2006
  6. Tom

    nemo_outis Guest

    There are dozens of such services, including Rapidshare and Megaupload. I
    have uploaded and downloaded literally gigabytes of files to/from such


    PS The interface is usually HTTP rather than FTP though
    nemo_outis, Feb 20, 2006
  7. Tom

    Todd H. Guest

    Not "no access." Instead, "No useful access." Sure the file's
    readable to the ISP administrator as root, but it's an encrypted mess
    from which no useful information can be extracted except by the file's
    rightful owner/creator who knows the encryption token (be it password,
    or private key, whatever).
    Um....no, it's called privacy.

    If you want to store an encrypted file on an ISP's servers that
    includes backups of your financial software data, encrypted password
    hashes for all customers to your web application, etc there's no
    (legitimate) reason in the world an ISP shouldn't let you.

    Best Regards,
    Todd H., Feb 20, 2006
  8. Why would an ISP think they had any say so in the matter, as long as the
    OP remained within his contractually agreed upon space allocation limits.

    I find it a little disconcerting that you'd assume someone was guilty
    until proved innocent, or that an ISP had the right to make that
    determination. Last I knew, possession of encrypted data wasn't a crime in
    any civilized jurisdiction.
    A lot of people might say that of YOUR argument. ;)
    Borked Pseudo Mailed, Feb 20, 2006
  9. Arrant Twaddle...

    Great Way For Terrorists To File Data And Plans -- Encrypted -- For Pickup
    By Confederates -- On An ISP FTP Server.

    Don't You Pogues Realize We Are At War?

    Damned, If You Aren't Gullible, Naive Children!

    Now, Go Stand In The Dunces' Corner -- With Your Faces To The Wall.


    Lux et Veritas et Libertas

    Veni, Vidi, Calcitravi Asinum
    D. Spencer Hines, Feb 20, 2006
  10. Tom

    Todd H. Guest

    You're either a troll, being facetious, or a complete imbecile.
    Please indicate which.
    Todd H., Feb 20, 2006
  11. If you want to encrypt some files -- put them on an FTP Server at an ISP --
    insist that the ISP have no access to them, or anyone else, except as you
    designate and/or control -- I want the Department of Homeland Security to be
    checking into what you are up to -- through the FBI, and other Agencies as


    Lux et Veritas et Libertas
    D. Spencer Hines, Feb 21, 2006
  12. Tom

    Todd H. Guest

    Okay, that answers it--you're an imbecile. At least on this topic.

    You don't have the requisite knowledge of the legitimate merits of
    "confidentiality" that encryption provides to even be _posting_ in

    Yes, encryption can be misused by the bad guys. But that's no reason
    to suspect everyone who uses it as being up to something nasty.

    Ever bought something on the web using an SSL secured website? You
    have? Oh my, you terrorist! You actually wanted your credit card
    data encrypted in transit over an ISP? Rogue!

    Ever entered your credit card number, name, home phone, address
    information? Wouldn't you like that company to use strong encryption
    on that database to make sure any $10/hr employee of the ISP hosting
    that store's server (and up to 100's of other company's databases)
    with logical access to that server to be able to read that database?

    Say your health care providers records, or your scholastic aptitude
    tests from gradeschool are on some institutions computers somewhere,
    hosted by an ISP. I suppose you wouldn't want encryption on those to
    prevent the janitor there from downloading the files onto a CD-ROM and
    selling the records en masse to some company looking to profit off of
    the information?

    Or would want the DHS to prohibit that and leave you information
    exposed? Apparently you do, or you seem to want yourself investigate
    by big brother.

    "Any society that would give up a little liberty to gain a little
    security will deserve neither and lose both." Benjamin Franklin

    And in this context where we talk about encryption, liberty is defined
    as the right to keep your information just as private as you want it
    to be, disclosed only to those to whom you have disclosed them, and no
    one else (even the feds).

    Best Regards,
    Todd H., Feb 21, 2006
  13. Nonsense!

    I didn't say anything of the sort.

    Read what I WROTE -- not some anserine STRAWMAN you have conjured up in your
    fevered brain.

    I described quite SPECIFIC circumstances having nothing whatsoever to do
    with your fevered brainfarts.

    Neither did I say no one should be allowed to encrypt anything.

    'Nuff Said.


    D. Spencer Hines, Feb 21, 2006
  14. Tom

    Todd H. Guest

    Okay, I'll bite.

    Tell us how your "SPECIFIC circumstances" quoted above are any
    different, or programmatically detectable as any different by any ISP
    than the extensions to that argument that I detail.

    I'm not sure you fully grasp that small businesses use ISPs for web
    application and FTP hosting, and remote file backup just like
    individuals do, and have all the same legitimate reasons to encrypt
    their proprietary data as an individual does.

    Remember this thread started with a guy who simply wanted offsite
    backup of some stuff on his home machine.

    Now tell us, how is an individual's Quicken data file directories, or
    backups of their family photos, or personal journals, love letters,
    etc that they don't want disclosed to the world or the government:

    a) any different in concept than the customer payment database
    of a small business that has a hosted shopping cart and
    payment system, the photos of a trade secret confidential
    prototype, design documentation on trade secret

    b) at all detectable as "different" by an internet service
    provider so they can be flagged for DHS scrutiny in your
    strange little surveillance world

    Even if you were able to define that difference in a), b) is
    techincally impossible to programmatically define. You can't
    differentiate encrypted file a from encrypted file b without some
    organization having a backdoor to the encryption algorithm. You also
    simply don't get the importance of confidentiality, and why you're off
    your rocker for even hinting that the original poster is asking for
    something even remotely subversive in wanting to protect his personal
    computer's backup files from potential disclosure to average joes at
    his ISP.

    However, without this style of ignorance in the world, the history
    books wouldn't have much to write about at the Salem Witch Trials, or
    for the excesses of Senator McCarthy's crusade during the red scare--
    where large numbers of completely innocent people suffered mightily at
    the hand of their government's and weak-minded people's willingness to
    give up the keys to the liberties people have fought and died for.

    But then again, dramatic changes in the times causes people to get
    pretty irrational.

    Best Regards,
    Todd H., Feb 21, 2006
  15. You must have let your AFDB support contract lapse. It's obviously
    filtering incorrect wavelengths. :( Those files belong to American agents.
    They're securely transferring terrorist plans recently pilfered from the
    Evul Umpire's secret island hideaway. But here you are suggesting we
    disallow that transfer, thereby causing the deaths of billions of innocent

    Don't you realize you're helping them win? Puppeting yourself to their
    whims by willfully giving up what they might otherwise have to take by
    force? Specifically, your freedom. And for absolutely no benefit to your
    safety or security what so ever.

    You're what those terrorists refer to as a "useful idiot".
    I see. You think terrorists are going to be in any way encumbered by not
    allowing people to store encrypted files in their own account space, but
    every one else is "naive".

    You really *don't* know much about this stuff, do you?

    Truth be known, transferring files this way, even encrypted files, is a
    pretty piss poor way of getting the job done considering all the better
    options there are. You're tying all your files to an account right off the
    bat, then leaving them hanging in mid air for some unspecified amount of
    time. That leaves not only the people accessing the files, but the files
    themselves vulnerable to attack.

    Serious terrorists wouldn't be using anything so woefully insecure as any
    normal Internet connection to begin with. That's a made-for-TV fantasy
    you're using to prop up your amusing paranoia right from the get go. And
    if they did find themselves in the position of being forced to communicate
    via such insecure means, you can bet bottom dollar it would be ephemeral
    and real time. There's just too many easy options and they're *way* more

    By your misguided illogic, the better way to fight terrorism would be to
    outlaw SSL. But do we see you wetting yourself over people who bank on
    Can I borrow your pointy hat? :)
    Borked Pseudo Mailed, Feb 21, 2006
  16. Tom

    ~David~ Guest

    It seems that what you want is encryption to the disk ON the file server.
    Assuming the legality and politics work out (ISP's let you store data, and it
    should be whatever data you want to store, so long as its with in your quota
    limits) there are two ways I can think of.

    One is to encrypt the data on your systems before it is sent over. This seems
    to be the most realistic solution at the moment, as it doesn't require any work
    or coordination with your ISP.

    The second way, which is what I believe you conceptually want, is to transfer
    the files and have them encrypted AT the ISP server. This would probably
    involve a _lot_ of bash/tsh (assuming your ISP uses unix/linux) scripting along
    with gnupg, assuming it is installed on your ISP's server or they give you
    permission to install it... Your script would have to detect every file
    transfered through scp/sftp and after its transfered run it through "gpg -c
    <other options> file.name" and you would have to store a key on the server.

    Encrypting it prior to transmission is probably the easiest thing to do. Then
    you won't have to bother with sftp and you can use plain FTP. Maybe someday one
    of the openSSL or gnupg devs will come up with something easier, or maybe
    something like this exists already?

    ~David~, Feb 22, 2006
  17. The only acceptable way.

    Utterly useless. If the files are encrypted at the destination it means
    that both the encryption keys and/or pass phrase are available to anyone
    with rights on that server. That could include nefarious tech support
    people, foreign spies, or anything in between. Your data is only slightly
    more secure than cleartext. At least your grandmother wouldn't be able to
    read it, assuming she's only a stereotypical grandmother. ;)
    Transferring encrypted files securely still has benefits. An eves dropper
    wouldn't be able to determine which files are being transfered for
    instance. Sometimes file contents aren't the only avenue of attack. It
    would still be preferable to move them about via SSL or similar.
    Borked Pseudo Mailed, Feb 22, 2006
  18. Tom

    ~David~ Guest

    If a good enough password is used with the key it will make the security
    stronger. But encrypting them before hand is still the best way.
    I agree but if the ISP doesn't have and won't set up SSL/ssh then he may have to
    use FTP anyway.
    ~David~, Feb 22, 2006
  19. No. Your password strength is completely meaningless in this scenario
    because for encryption to be done remotely that password MUST somehow be
    transmitted to the remote machine, in a usable form. IOW, you MUST give
    them your password willingly, in the clear as far as they're concerned.
    There simply is no other way for them to "enter" it
    Borked Pseudo Mailed, Feb 22, 2006
  20. Hilarious!


    D. Spencer Hines, Feb 22, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.