This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I am working with a vendor. Currently, we PGP encrypt files when we send to them. They are requesting that we change to SFTP. That's all fine. However, they say that they consider the "best practice" to be using BOTH SFTP and PGP encryption of the file.
Am I missing something? To me, that seems like gilding the lily, but I'm willing to listen if anyone knows otherwise...
There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
You don't say what medium you currently use to transfer the files but I assume it is some unencrypted channel such as FTP or Email. If so then the primary protection comes from the protection of the PGP private keys. An attacker therefore has to gain access to the RX computer and then get access to the PGP private key to gain access to the secret files.
If the SSH connection over which the SFTP runs is authenticated using (username,password) pairs then this is fairly weak so it would definitely be an advantage to also PGP encrypted files. If one uses public key authentication to access the RX computer using SSH /SFTP then on the surface also PGP encrypting is overkill but does it hurt? I think not. It still means that if the RX computer is compromised an attacker still has to get access to the PGP private key
One weakness you have not covered is possible access to the unencrypted files on either the TX or RX computers. To my mind this is the real weakness.
If I were involved I would keep the customer happy and do whatever he asks as long as it does not actually compromise security.