Custom SFTP Setup
Provision secure SFTP report delivery using SSH keys and optional GPG encryption.
Set up a brand-specific SFTP account for secure delivery of standard reports. Access uses SSH keys, IP allowlisting, and optional GPG encryption.
Reach can deliver standard reports to a brand-specific SFTP folder. Access is restricted by SSH key authentication and IP allowlisting.
Reports can also be available in Reach Central (RC), based on role permissions.
This is a file-based delivery path. It is designed for scheduled exports and reconciliation workflows.
Who this is for
Brand technical teams (IT, DevOps, security)
Parent brand administrators (for aggregated reporting)
External partners who require controlled report access
Per-brand SFTP setup and report delivery
Parent-brand aggregated reports (SFTP and Reach Central, where enabled)
Role-based visibility (brand vs. parent access)
GPG encryption and decryption of report files
Real-time or streaming delivery
Password-based SFTP authentication
Access model (brand vs. parent)
Capability
Brand
Parent brand
All child brand reports (aggregated)
Standard + brand name column (where applicable)
Not permitted outside the parent’s child brands
Parent aggregation depends on correct brand hierarchy mapping in the platform.
Before you start
You must provide
Egress IP address(es) to allowlist (the machine or NAT IP that will connect)
SSH public key (RSA 2048-bit) for SFTP authentication
GPG public key (optional) for encrypting report files
You will receive from Reach
Request and onboarding flow
Generate an SSH key pair
Create an RSA 2048-bit key pair. Keep the private key secure.
Generate a GPG key pair (optional)
Share only the public key. Keep the private key and passphrase secure.
Email your setup package
Send the following to [email protected]:
GPG public key (ASCII armored, .asc) (optional)
Reach provisions access
Reach DevOps creates the SFTP user and configures folder permissions.
Validate connectivity and file access
Reach shares the endpoint, username, and folder path. You confirm you can connect, list files, and download files.
SSH key generation (Linux/macOS)
Generate an RSA 2048-bit key pair:
Outputs:
Private key: brand-sftp-ssh (do not share)
Public key: brand-sftp-ssh.pub (share with Reach)
Use a passphrase if your security policy requires it.
GPG key generation (optional)
Prerequisite: gpg must be installed.
Create a key:
Find the key ID:
Export the public key (share this with Reach):
Export the private key (keep this safe):
Never share private_key.asc. If it leaks, treat it as a security incident.
Connect to SFTP
Use any SFTP client that supports SSH keys. Command-line example:
Reach provides the exact endpoint, username, and folder path via email.
Decrypt downloaded files
If reports are delivered as .gpg files, decrypt them locally:
Authentication: SSH key-based (RSA 2048-bit)
Network control: IP allowlisting
Authorization: folder-level permissions (brand folder isolation)
Encryption: GPG-encrypted files on SFTP (optional)
Key handling: private keys stay with the brand; only public keys are shared
Operational rules and constraints
SSH public keys must be RSA 2048-bit.
Only allowlisted IPs can connect.
Each SFTP user is limited to its assigned folder(s).
Parent-level reports aggregate child brands based on platform hierarchy mapping.
Delivery is file-based only. No event streaming or real-time feeds.
Troubleshooting
Connection refused
Confirm your egress IP is allowlisted.
Authentication failure
Confirm you are using the correct private key for the registered public key.
Confirm the public key provided was RSA 2048-bit.
Decryption failure
Confirm the correct GPG private key is imported on the machine.
Confirm you have the correct passphrase.
Reports missing
Confirm folder path and permissions.
Confirm the report cadence for that report type.
Missing sub-brand data in a parent aggregate
Confirm brand hierarchy mapping is correct and up to date.
Reach routes SFTP requests internally to the right team.
Screenshots (optional reference)
Last updated
