Make WinSCP Use a Specific Encryption Algorithm :: Support Forum

TheCliGuy
Joined:: 2020-01-31
Posts:: 13

Make WinSCP Use a Specific Encryption Algorithm

2020-10-28 22:02

I'm working on a project where files are to be uploaded to various third party SFTP servers that are not under my control.

The security team that I'm working with have specified that I must use an encryption algorithm of either aes256-ctr or aes256-gcm when connecting to an SFTP server. If an SFTP server doesn't support aes256-ctr or aes256-gcm then the connection must fail.

WinSCP does not support aes256-gcm but it does support aes256-ctr. Is there a way of specifying that aes256-ctr must be used?

If WinSCP does not currently support this, is it a feature that could be added in the future?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,441
Location:: Prague, Czechia

Re: Make WinSCP Use a Specific Encryption Algorithm

2020-10-30

You can configure WinSCP to warn, when any non-AES algorithm is about to be used:
https://winscp.net/eng/docs/ui_login_ssh
You cannot configure WinSCP to avoid using AES wearer then 256 though.
This feature is on PuTTY TODO list:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/cipher-selection.html

Reply with quote

TheCliGuy
Joined:: 2020-01-31
Posts:: 13

Re: Make WinSCP Use a Specific Encryption Algorithm

2020-11-01 17:34

Hello Martin,

Thanks for providing the link to Cipher selection UI is messy and irrational on the PuTTY wishlist.

I think the author of that wish expressed the problem very well. It's unfortunate that no action has been taken since it was logged in 2007...

I really like the WinSCP .Net library and would very much like to use it in the project that I'm currently working on but in order to comply with my customer's security policy I have to ensure that a minimum encryption algorithm of AES 256 is used. So unfortunately I will have to find an alternative library that can meet my needs.

Is there any possibility that in the future you might be able to enhance the the PuTTY code that WinSCP depends on so it is possible to select specific algorithms?

Reply with quote

martin◆ Site Admin

Re: Make WinSCP Use a Specific Encryption Algorithm

2020-11-03

I'd prefer not to modify the PuTTY code too much. So I hope they implement this on their side.

Reply with quote

zikowski Guest

What about specifying only a set of ciphers or exclude a set of ciphers?

2024-10-19 13:10

Hello Martin,

I have a PowerShell script that uses WinSCP for file movements from an SFTP. But now they SFTP only supports a certain ciphers. I can configure it in the GUI but how can we set it in PowerShell?

ChatGPT says $preferredCiphers would work but it doesn't. Any way to achieve this?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,441
Location:: Prague, Czechia

Re: What about specifying only a set of ciphers or exclude a set of ciphers?

2024-10-22

@zikowski: WinSCP GUI can generate a code template from the working GUI session for you:
https://winscp.net/eng/docs/ui_generateurl#code
The key is to use Cipher raw session settings:
https://winscp.net/eng/docs/rawsettings#cipher

Reply with quote