IronSFTP End-to-End Encrypted SFTP


IronSFTP is an open-source fork of OpenSSH and alternative to command-line SFTP. IronSFTP brings painless end-to-end encryption to existing servers running SSH. Encryption keys are automatically derived from the SSH key and the public keys are published to the server. Uploaded files are encrypted to the person uploading and optionally to other users. Key files and encryption are compatible with GPG 2.1+ and uses the “safe” elliptic curve Curve25519. The user experience with IronSFTP is nearly identical to standard SFTP with new commands for sharing files with other users.

Demo of sftp and ironsftp side-by-side
  • The Power of Least Privilege

  • In security, the principle of least privilege says, for any piece of data, only those users, components or systems who must have access should have it. When uploading files to servers, it’s hard to know who may have access to a file now or in the future – who has root, can get root, and how might filesystem permissions or group memberships change?

  • SSH is terrific for encrypting communications between client and server, but once files are uploaded, that protection is gone. The server is assumed to be a secure and fully trusted environment, but in practice, servers are hacked and malicious or curious users with access poke around at files that they shouldn’t. It makes sense to take reasonable precautions when it comes to sensitive data. That’s why we built IronSFTP.

  • When dealing with sensitive data such as customer data, employee data, product designs, etc., using IronSFTP reduces the risk of theft by making sure only users who have a need to read the files will have the capability to do so. Encrypting files with IronSFTP is easier than just about any other approach and much simpler than manually encrypting and decrypting files when uploading and downloading.

  • Easy to use

    When logging in, uploading, downloading and otherwise using SFTP, nothing is visibly changed except for a small lock icon beside progress bars. However, uploaded files are kept encrypted on the server after the transfer. Downloading the files transparently decrypts them if the file is shared with or owned by the user.


RedHat, CentOS, Debian and Ubuntu

IronSFTP requires OpenSSL 1.0.2 or above. This means it will only work on newer operating systems including RedHat Enterprise 7; CentOS 7; Fedora 23, 24; Debian Stretchy; and Ubuntu Wily, Xenial, Yakkety. Packages for these operating systems are hosted on To install deb and rpm packages:

  1. Add the repository
  2. For Debian and Ubuntu:
    sudo apt-get install ironssh
    For RedHat and CentOS:
    sudo yum install ironssh


IronSFTP can be installed by users of Homebrew using this command:

brew install ironcorelabs/ironcore/ironssh

Building From Source

To build from source, make sure you have a version of OpenSSL that is 1.0.2 or greater, then follow these instructions, modified as needed to locate dependencies:

    > git clone [email protected]:IronCoreLabs/ironssh.git
> cd ironssh
> autoreconf
> ./configure --with-ssl-dir=/usr/local/opt/openssl
> make && make install


Documentation is on the repository with GitHub and in the man pages.

View GitHub Repo