Enabling SFTP
SFTP is the premier protocol used for file transfers. It is very secure (if configured properly) and it is preferred by most funding agencies. There is a multitude of SFTP clients both free/open source and commercial that provide great convenience for transferring large amounts of data.
Using the SFTP gateway is by far the most efficient mechanism to move data from the outside into a virtual machine.
To ensure the security of the system, the VM Controller tightly controls the SSH/SFTP settings, primarily to prevent the following:
Un-audited/un-authorized data exfiltration
Console access outside tiCrypt mechanisms
It does so by disabling all the SSH features except SFTP and by placing SFTP in "write-only" mode (no file reads). Effectively, the SFTP client will be able to see the directory structure, create new directories, create new files but it will not be able to read any existing file.
Linux instructions
Most Linux distributions install by default OpenSSH and set it so start automatically. These instructions are specific to CentOS/Redhat 7.0 but similar instructions work for other Linux variants.
Only two steps need to be performed for Linux:
Disable the OpenSSH server in order to allow the VM Controller to grab port 22 using
+systemctl disable sshd+
Set
sftpEnabled = true
in the[tunnel]
section in the VM configuration file:/etc/ticrypt/controller.toml
If step 1 is not performed, the VM controller will not start correctly.
Windows instructions
First, OpenSSH must be installed. You can find excelent instructions from https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
The rest of the setup instructions are:
Edit the image configuration file
C:\'Program Files'\'Tera Insights'\'tiCrypt VM Controller'\controller.toml
set
sftpEnabled = true
in the[tunnel]
section.set
sshDirPath
to the path to the directory where OpenSSH is installed, which should contain at leastsshd.exe
andssh-keygen.exe
.
Disable automatic start of openSSH if set.
Run the following command, as Administrator, to grant the VM controller service the permissions that OpenSSH needs to impersonate other users:
sc.exe privs ticrypt-vm-controller SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege
In step 1.b, if the OpenSSH bin directory is already on the PATH, you do not need to set sshDirPath
If step 2 is not performed, the VM controller will not start correctly.