Setting up SFTP with PGP support is very simple provided the fundamentals are clear.

First of all SFTP is file transfer on Secure Shell (SSH), therefore, it is different from FTPS. FTPS is FTP protocol using secure transfers on SSL. Importantly, SFTP works with SSH or SSH2 key pairs whereas FTPS uses the X.509 key pairs that are used in X.509 certificates commonly known as digital certs.

PGP is an abbreviation of Pretty Good Privacy and it comprised X.509 key pair based security techniques. Primarily, PGP provides the encryption/decryption (privacy) of the contents as well as Signing (authentication of the sender and integrity of the contents). We are not going in the detail on how does the key pair based data encryption works. I may cover that in a different post.

So in order to setup an SFTP server.

1. First download a server software, most of them are available at a very low cost. I am deliberately avoiding the name of any product. Make sure that server software does support the SFTP and with preferable SSH2 keys.
2. Configure the server so that it accepts SFTP client requests. The standard port for SFTP is 22. Make sure that there is no firewall blocking this port. You can also set the software to only perform SSH or SSH2 key based authentication.
3. Create a user for your client company and install the SSH/SSH2 based public key provided by your client. If you are testing this by creating your own user, create the user first as well as generate SSH/SSH2 based key pair. Most SFTP software allows you to generate that key pair. Install the generated public key for this user. Keep the copy of key pair to be used with your client SFTP software.

Now, you can allow your client company or your test user to try to connect to SFTP service. Make sure you are not running SFTP service from command line and it is shutdown when you log out. That was the part of the Public Key Authentication.

Now, we move on to the PGP part. As discussed above, we can use PGP for data privacy, sender’s authentication and to ensure contents integrity. First of all, PGP and SFTP are different things, we can make them work together for secure file transfers and to achieve objectives like privacy, contents integrity etc. Some of the SFTP software will also allow to register to run a script after a file is uploaded. So that one of the areas PGP scripts can be integrated with SFTP. Otherwise, PGP commands/scripts can always be run from the command line and scheduled as well.

GNUPG (GPG) is a well known free and full implementation of PGP RFC 4880. It definitely is a great free product and provides all necessary features for PGP and supports Public Key Infrastructure (PKI).
PGP works with X.509 based key pairs. Now, in order to have data privacy and signing of the data, we need to have public key of the client or our public key (the company running the SFTP and PGP). GPG allows you to create a X.509 based key pair, export the public key and send it to your clients for their use when they encrypt and send the data to you. Further, GPG allows you to decrypt the encrypted contents using your private key. If a passphrase was used while creating the key pair , it should be used with every decryption command. There are ways to use the passphrase in an automated process without entering it manually using its interface. Similarly, GPG allows you to sign and unsign data.

In this post, I remained at the conceptual level mostly and based on the interest of the readers, I will probably be writing some other posts for concrete steps with a certain product to setup SFTP with Public Key Authentication and PGP. I could also explain Key Pair and PKI related concepts better but there is a lot of information available on that already.
At the end, please feel free to get in touch with me for any questions, further explanations, concerns or any possible help at xcesstek@gmail.com. Best regards!