Skip to main content

Additional SFTP security (SSH keys)

Some clients historically used SFTP with password authentication to download clearing files from CA. These passwords were often weak, shared across users, and rarely rotated, which increases breach risk. Moreover, new requests for SFTP access use SSH key–based authentication, and we strongly encourage existing users to migrate. SSH keys are stronger, resistant to brute-force and phishing, support local encryption with passphrases, and enable safer automation.

Security benefits

Compared to passwords, SSH key authentication delivers stronger protection in the following ways:

  1. Stronger authentication: SSH keys are much harder to break than passwords.
  2. Resistance to brute-force attacks: With key-only access enabled, servers can reject password attempts entirely, reducing the attack surface.
  3. Protection against phishing: You never type or transmit a secret; the private key stays local, eliminating risks from fake login prompts or credential theft.
  4. Two-part key pair security: Even if a server is compromised, attackers do not gain your private key, which remains only on your device.
  5. Local key encryption and passphrases: Private keys can, and should, be encrypted with a passphrase. Even if someone obtains the file, they cannot use it without decryption.
  6. Easier, safer automation: SSH keys enable non-interactive scripts and deployments without storing plaintext passwords.
  7. Automatic IP blocking: SSHGuard can automatically block IP addresses after repeated failures, protecting the SFTP server.
  8. Jailed SFTP accounts: Accounts are restricted to a specific directory (a “jail”), preventing access to other parts of the file system after login.

Using SSH key-authenticated SFTP to download clearing documents

  1. Request for the setup of an SFTP account using SSH key authentication:
    1. Create an SSH key pair on the host machine you want to connect with the SFTP server.
    2. Contact your Client Success Manager, provide them with your SSH public key (.pub file) for the SFTP account setup, and communicate on the files you need. If, for any reason, you cannot contact your Client Success Manager, please email our Customer Experience.
  2. After the Client Success Manager informs you that the set up is ready, authenticate to SFTP server using your username and private SSH key: Open terminal, then run ssh username@hostname |
  3. Download clearing documents.

How to create an SSH key pair

  1. Open the Terminal: Launch your terminal application.
  2. Generate the key pair: Use the ssh-keygen command.
    • A common and secure option is to use the ed25519 algorithm: 
       ssh-keygen -t ed25519 -C 'your_email@example.com'
      where 'your_email@example.com' is your actual email address, which serves as a comment for the key.
    • Alternatively, you can use RSA with a strong key size: 
       ssh-keygen -t rsa -b 4096 -C 'your_email@example.com'
  3. Specify the file location: When prompted for a file name, press Enter to accept the default location (~/.ssh/file-name) or specify a new file location.
  4. Enter the passphrase: When prompted, enter a passphrase to add another layer of security. You can leave it empty, but we strongly recommend not to skip the step.
  5. Obtain the key files: The system will generate the keys in the defined location:
    • Public key: The file with .pub extension (for example id_ed25519.pub) which you share with servers to grant access;
    • Private key: The file without extension (for example id_ed25519) which stays on your device, proves your identity during login, and must never be shared.

Did you find this doc useful?