# Encryption, Ciphers and Key Exchanges

The default SFTP listener configuration provides a balance between security and comparability with older clients. If you encounter errors when connecting to the SFTP port of FileMage Gateway you may need to adjust certain SFTP encryption configurations.

# Enhanced Security Profile

To modify the defaults to enable the most secure configuration possible, apply the settings shown below. This configuration makes the following modifications from the default:

  • Remove the diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 key exchange algorithms.
  • Remove the hmac-sha1 and hmac-sha1-96 MAC algorithms.
  • Remove DSA host key verification.
sftp_key_exchanges:
 - curve25519-sha256@libssh.org
 - ecdh-sha2-nistp256
 - ecdh-sha2-nistp384
 - ecdh-sha2-nistp521
sftp_ciphers:
 - aes128-gcm@openssh.com
 - chacha20-poly1305@openssh.com
 - aes128-ctr
 - aes192-ctr
 - aes256-ctr
sftp_digests:
 - hmac-sha2-256-etm@openssh.com
 - hmac-sha2-256

Additionally, on Linux VMs, add the following:

sftp_host_keys:
 - /etc/ssh/ssh_host_ecdsa_key
 - /etc/ssh/ssh_host_ed25519_key
 - /etc/ssh/ssh_host_rsa_key

See the sections for SSH encryption and key exchange algorithms in the configuration reference for additional information.