Appearance
Security and Authentication ​
Secure your MFTPlus deployment with API-key authentication and TLS encryption.
Overview ​
MFTPlus uses API-key authentication for all dashboard and CLI access. Communication between agents and the dashboard is encrypted via TLS.
- API-key authentication — all agents and CLI sessions authenticate with a unique API key
- TLS encryption — all control-plane and data-transfer traffic is encrypted in transit
- AES-256-GCM encryption — transferred files are encrypted end-to-end
- SHA-256 checksums — every transferred file is checksummed for integrity verification
- Audit logging — all transfer activity is logged locally in SQLite
Authentication ​
API Keys ​
Every agent and CLI session authenticates with an API key. Keys are managed from the MFTPlus Cloud Dashboard.
- Navigate to Settings → API Keys
- Click Generate New API Key
- Copy the key immediately — it is shown only once
CLI Authentication ​
bash
# Login with an API key
mftctl login pc-api-xxxxxxxxxxxxxxxx
# Login with a custom server URL
mftctl login --server https://dashboard.mftplus.co.za
# Clear stored credentials
mftctl logoutCredentials are stored in ~/.mftctl/config.json after login.
Configuration Directories
MFTPlus uses two separate configuration directories for different purposes:
- CLI (
~/.mftctl/) — stores credentials, server URL, and session state formftctl - Agent (
~/.config/mft-agent/) — stores agent configuration, transfer logs, certificates, and scheduled job definitions
This separation keeps CLI credentials isolated from agent runtime data.
Environment Variables ​
bash
# Override config file settings
export MFTPLUS_SERVER_URL=https://dashboard.mftplus.co.za
export MFTPLUS_API_KEY=pc-api-xxxxxxxxxxxxxxxxData Protection ​
Encryption in Transit ​
All API and WebSocket traffic between agents, hubs, and the dashboard uses TLS. The MFTPlus cloud enforces TLS 1.2 or higher.
Encryption at Rest ​
Transferred files are encrypted with AES-256-GCM. Encryption is configured per transfer:
bash
mftctl transfers create \
--agent ag-2x8mK9nR \
--source ./sensitive-file.pdf \
--dest sftp://partner.example.com/incoming \
--encryption aes256Supported algorithms:
aes256— AES-256-GCM (default)chacha20— ChaCha20-Poly1305
Checksum Verification ​
Every transfer includes SHA-256 checksum verification. Checksums are computed for each chunk and verified on receipt.
Audit Logging ​
All transfer activity is logged locally on the agent in SQLite format:
- Linux/macOS:
~/.config/mft-agent/transfers.db - Windows:
%APPDATA%\mft-agent\transfers.db
Audit logs can be queried via the dashboard or the CLI:
bash
# List audit log entries
mftctl audit log list
# Verify audit chain integrity
mftctl audit verifyBest Practices ​
- Rotate API keys every 90 days
- Store API keys in environment variables or a secrets manager
- Never commit API keys to version control
- Use separate API keys for different environments (dev, staging, production)
- Monitor audit logs for suspicious activity
- Run
mftctl logoutbefore handing over a machine
Next Steps ​
- Architecture — Understanding MFTPlus security model
- Configuration — Complete configuration reference
- CLI Reference — Security-related commands