Thorn Tech Support

Thorn Tech Support

  • SFTP Gateway 2.0 Docs
  • SFTP Gateway Classic Docs
  • SFTP Gateway Azure Docs
  • WP SureStack

›SFTP Gateway Classic (1.004.x)

SFTP Gateway Classic (1.004.x)

  • SFTP Gateway Overview
  • Initial Setup
  • Log into the EC2 instance
  • Add and Configure Users
  • Connect as an SFTP user
  • WinSCP Setup
  • Windows Setup
  • Two Factor Authentication with Google Authenticator
  • Custom S3 Bucket
  • Security Notes
  • Restrict S3 access on your IAM policy
  • Enable Password Login
  • Launching into AWS GovCloud
  • AWS SFTP Vs SFTP Gateway - a Comparison
  • Allow Users to Delete from Downloads
  • SSH Key Pairs
  • Enable Multi-threaded Support
  • Original mtime
  • MD5 hash validation
  • File Exclusions
  • SSE
  • ACL command options
  • Recovering from Stuck Files in Uploads Directory
  • Reducing the Costs of running SFTP Gateway
  • Remove empty folders after download sync
  • Generate a key pair
  • Routing sendmail through external SMTP relay
  • Configure an EC2 security group
  • Best practices for production
  • Cross account S3 access
  • Troubleshooting
  • Set uploads folder as the default
  • How to upload files to SFTP root
  • Grant your EC2 instance access to all S3 buckets
  • Create a Swap partition
  • Reference
  • Release Notes
  • Upgrading Existing SFTPGateway Instances
  • Fixing Errors After Running Yum Update
  • FileZilla Setup
  • Encrypting local server data at rest
  • Enabling FTPS using vsftp
  • Disk utilization monitoring
  • Authenticity of host can't be established
  • Deleting Users
  • Private and Shared Download Folders
  • SSE-C
  • KMS
  • SSE-S3
  • Resizing an EC2 Instance Volume
  • Locked out of EC2 instance

Encrypting local server data at rest

For compliance reasons, you may need to encrypt the data at rest when files are stored locally on the SFTP Gateway instance. These files could reside in the user's local, shared, or downloads directories.

The approach outlined here is to mount an encrypted EBS volume onto /home. This involves 4 main steps:

  • Back up the ec2-user's home directory, so you can SSH in after a reboot
  • Create an EBS encrypted volume
  • Attach the volume
  • Mount the volume
  • Make sure the volume mounts on subsequent reboots

Credit goes to this helpful tutorial

Back up the ec2-user's home directory

The ec2-user's home directory contains a few important hidden folders:

  • .ssh: This is what allows your key pair to SSH into the instance
  • .sftpgateway: Contains a config file that is global to the SFTP Gateway instance
  • Other bash settings that are useful

The following backs up the entire folder:

sudo su
cp -a /home/ec2-user/ /root

Create an EBS encrypted volume

  • EC2 > Volumes > Create Volume
  • Change size to 32 GB (default is 100, but use a sensible size)
  • Make sure the Volume's AZ matches the instance’s AZ
  • Check the box for Encryption
  • Add a Tag (Name=sftpgw-ebs-encrypted). You're going to have a lot of volumes, so this is the best way to identify it later
  • Click Create Volume

Attach the volume

  • Click the link that takes you to the volume you just created
  • Select your new volume
  • Go to Actions > Attach Volume
  • Select your EC2 instance from the drop down menu
  • Click Attach

Screen Shot 2018-05-24 at 10.03.53 AM.png

Mount the volume

The following initializes the volume's file system, and then mounts it on /home:

mkfs -t ext4 /dev/xvdf
mount /dev/xvdf /home

This restores the ec2-user's home directory (and removes the lost+found folder):

mv /root/ec2-user/ /home/
rmdir /home/lost+found

Make sure the volume mounts on subsequent reboots

Back up the fstab file:

cp /etc/fstab /etc/fstab-orig

Append the following line to /etc/fstab:

/dev/xvdf   /home       ext4    defaults,nofail

Make sure there are no errors:

mount -a

Reboot, and make sure it comes back up.

init 6
← FileZilla SetupEnabling FTPS using vsftp →
  • Back up the ec2-user's home directory
  • Create an EBS encrypted volume
  • Attach the volume
  • Mount the volume
  • Make sure the volume mounts on subsequent reboots
Thorn Tech Support
Docs
SFTP Gateway 2.0 DocsSFTP Gateway Classic DocsSFTP Gateway Azure DocsWP SureStack
Community
TwitterYouTube
More
Thorn Technologies LLCBlogSupport Options
Copyright © 2019 Thorn Technologies