WinSCP allows you to seamlessly encrypt your files on an SFTP server using AES-256 encryption.
As part of session settings, you can specify (or have WinSCP generate) an encryption key. WinSCP will then (by default) seamlessly encrypt all newly uploaded files and their names.
In WinSCP file panel, you will see the original file names and when you download files, you will get original contents. But anyone else, who does not know the key, including a server Administrator, will see only gibberish.
This, combined with WinSCP powerful synchronization features, allows you to use your server quota as a safe backup storage for your private data.
The following images show how an encrypted folder and files show to a user who knows the encryption key and to a user who does not know the encryption key:
The following rules apply for encrypting files (assuming file encryption is enabled in session settings):
- When overwriting an existing unencrypted remote file, the updated file is uploaded unencrypted too.
- When overwriting an existing encrypted remote file, the updated file is uploaded encrypted too.
- When uploading a new file, it is encrypted by default (can be changed in transfer settings).
- When creating a new folder, its name is encrypted by default (can be changed in default transfer settings).
You can identify encrypted files and folders using a lock overlay icon.
Requirements on Server File System
Encryption of file names uses Base64 encoding. To preserve file names encoded in Base64 encoding, the target file system should be case-sensitive (Linux servers use case-sensitive file systems) or at least case-preserving (with a small risk of collision – Windows NTFS is case-preserving).
The file system also needs to support reasonably long file names. Base64 encoding adds a 33% overhead to a filename length. Additionally, an encoded salt and the
.aesctr.enc extension add another approximately 33 characters.
With common 255-character limit of common NTFS and ext file systems, file names up to 167-characters long can be stored.
To encrypt file names and file contents, WinSCP uses industry standard AES-256 CTR encryption. Use of standards guarantees you, that even if WinSCP stops working or becomes unavailable for whatever reason, you will still be able to decrypt your files.
Process of encrypting file names:
- 16 bytes (128 bits) of salt is generated.
- File name is represented in bytes using UTF-8 encoding.
- Encoded file name is encrypted.
- Concatenated salt and encrypted file name are encoded using Base64 encoding.
- All slash characters (
/) in a result of Base64 encoding are replaced with underscore (
_). Trailing equal signs (
=) are removed.
.aesctr.encextension is added.
Process of encrypting file contents:
- Fixed file header
aesctr..........is written to the output file.
- 16 bytes (128 bits) of salt is generated and written to the output file.
- File contents is encoded and written.
- Empty files are encoded as empty files (no header nor salt).
File modification time is stored as is (not encrypted in any way). Encrypted files are 32 bytes larger than originals. Hence size of an original file can also be deduced.
We provide a standalone PowerShell implementation of file decrypting.