I am working with a vendor. Currently, we PGP encrypt files when we send to them. They are requesting that we change to SFTP. That's all fine. However, they say that they consider the "best practice" to be using BOTH SFTP and PGP encryption of the file.
Am I missing something? To me, that seems like gilding the lily, but I'm willing to listen if anyone knows otherwise...
Never ascribe to malice that which can be adequately explained by stupidity.
Joined: Aug 27, 2012
You don't say what medium you currently use to transfer the files but I assume it is some unencrypted channel such as FTP or Email. If so then the primary protection comes from the protection of the PGP private keys. An attacker therefore has to gain access to the RX computer and then get access to the PGP private key to gain access to the secret files.
If the SSH connection over which the SFTP runs is authenticated using (username,password) pairs then this is fairly weak so it would definitely be an advantage to also PGP encrypted files. If one uses public key authentication to access the RX computer using SSH /SFTP then on the surface also PGP encrypting is overkill but does it hurt? I think not. It still means that if the RX computer is compromised an attacker still has to get access to the PGP private key
One weakness you have not covered is possible access to the unencrypted files on either the TX or RX computers. To my mind this is the real weakness.
If I were involved I would keep the customer happy and do whatever he asks as long as it does not actually compromise security.