RSA key authentication

SSH key authentication is the preferred auth method for the Conflixis SFTP integration. It’s stronger than a password and eliminates the need to rotate a shared secret on a human-memorable cadence.

How it works

1. Your team generates an SSH keypair on a secure workstation or key vault.
2. You install the public key on your SFTP server for the dedicated conflixis user.
3. You securely send the private key to your Conflixis contact, who stores it in a managed secrets vault.
4. On each scheduled run, the Conflixis ingestion worker retrieves the private key at runtime and uses it to connect. The private key is never written to disk on our side.

Who generates the key

You generate the keypair, not Conflixis. This keeps you in control of when the keypair is revoked. If you’d prefer Conflixis to generate the keypair and send you the public key to install, that flow is also supported — discuss with your Conflixis contact.

Step-by-step

1. Generate a keypair on a secure workstation. A 4096-bit RSA key in PEM format works for all supported SFTP servers:

   ssh-keygen -t rsa -b 4096 -m PEM -f conflixis_sftp -C "conflixis-ingest"

   This creates two files:

   • conflixis_sftp — the private key (share with Conflixis).
   • conflixis_sftp.pub — the public key (install on your server).

   You may optionally protect the private key with a passphrase during generation. Conflixis supports passphrase-protected keys — if you set one, share it alongside the private key.

2. Install the public key on your SFTP server for the Conflixis user. On an OpenSSH-based server:

   # As the conflixis user:
   mkdir -p ~/.ssh
   chmod 700 ~/.ssh
   cat conflixis_sftp.pub >> ~/.ssh/authorized_keys
   chmod 600 ~/.ssh/authorized_keys

   For other SFTP servers (for example, Cerberus, Serv-U, managed services), follow the vendor’s instructions for associating a public key with a user.

3. Disable password auth for the Conflixis user if possible — your server configuration should allow password auth to be disabled on a per-user basis, or you can enforce key-only for this account.

4. Send the private key to Conflixis via the secure channel your contact has provided. Include:

   • The private key file contents (the full -----BEGIN RSA PRIVATE KEY----- block, PEM format).
   • The passphrase, if you set one.

5. Wait for Conflixis to confirm that the credential has been loaded into our secrets vault and a test connection has succeeded. We’ll coordinate the first scheduled pull with your team.

Key format reference

Aspect	Requirement
Algorithm	RSA (2048-bit minimum; 4096-bit recommended).
Format	PEM (the -----BEGIN RSA PRIVATE KEY----- style).
Passphrase	Optional. Supported — please share the passphrase if you use one.

Tip

If your workflow generates keys in OpenSSH format by default, you can convert to PEM with ssh-keygen -p -m PEM -f conflixis_sftp.

Rotating a key

When you need to rotate the key (for example, annually, or when staff with access leave):

1. Generate a new keypair on your side.
2. Install the new public key on your SFTP server alongside the existing one.
3. Send the new private key to Conflixis.
4. Coordinate a cutover window with your Conflixis contact.
5. Once the new key is confirmed working, remove the old public key from your server.

Related

• Password authentication — the alternative auth method.
• Troubleshooting — what to check if a test connection fails.