Last weekend I needed someone to let the dog out. I have some good friends that live close by and I actually had a key made for them, but it worked out where it would be best if I just left a key because they wouldn’t be home to pickup the spare. So I left yet another spare on the porch and text’d a picture of where it was to them. No problems.
File server security is a bit different. Mostly there is key pairs, public private… private private.. and so on. Just like in the movies, you need two keys to launch the missiles. If the president had his key sitting under a rock and text’d pictures around, Bobby G. would probably be able to find and and fire away. If you are an IT person, anytime you are storing secure information just assume its nukes.
SFTP (ftp over SSH) you can secure file transmissions with a public and private key very easily. I have instructions on setting up an SFTP in an earlier post. Once you setup a server you can assign each user with a key pair. All you need is the public key to do this. So it is best if user creates the key pair. PuttyKeyGen.exe will use randomness from you mouse movements to create a good key pair ( http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ). This way the private key never has to change hands.
If you add a protecting passphrase to this key you won’t be able to easily script SFTP transfers. As long as nobody has access to the private key, no passphrase is ok. On top of the keys, access should only be granted if the proper password is supplied. Force clients to supply a password and give it to them on a different medium that the key was exchanged. Expiration is a pain if everything automated but it is required to meet most security standards. Expire your keys and passwords after a certain period of time. So we have a key pair and password, that is secure right? Well, yes and no. The transport layer is secure but the file itself is not secure just yet.
There are a few things we can do to secure a file. PGP would be a top notch security mechanism. PGP would create yet another key pair and encrypt the file itself. PGP is great but don’t discount the value of a good file system security. Do not let users browse around the computer they are connecting to, especially not other users directories. Control local users and network users privileges as best as possible.
To wrap things up, in a good key exchange, the client would create the key pair and never let anyone touch the private(s). Once past a good key echange make sure you lock up things after the exchange is complete.