Enhanced Utility Through SFTP Integration

by Aaron, Florian on Wednesday, September 10, 2025

PrivateStorage ships with what we consider to be a user-friendly GUI for syncing folders to the grid. But did you know its secure storage grid also can be used with many other tools?

By activating the SFTP (Secure File Transfer Protocol) frontend built into the Tahoe-LAFS core of PrivateStorageDesktop, power users can radically expand what’s possible with the same privacy-preserving, zero-knowledge backend. This unlocks automation, compatibility with modern backup tools like borgbackup and restic, advanced workflows, and more:

Fast Incremental Backups
Archiving & Versioning
Automation
Efficient ZKAP Usage

The SFTP frontend doesn’t stop at backups. It makes PrivateStorage compatible with a whole ecosystem of tools, for example:

Cyberduck: GUI-based drag-and-drop uploads via SFTP.
NextCloud: Use PrivateStorage as a backend store, enabling a cloud-documents UI/UX while keeping your data private
Django storage backends: Integrate PrivateStorage with web apps
Rclone mount or SSHFS: Seamlessly access remote files from your OS using PrivateStorage as a folder

References to external tools are for convenience only. PrivateStorage does not endorse these tools and cannot provide technical support for them.

A screenshot of a YouTube video player showing Futurama's professor Farnsworth exclaiming 'I can directly wire anything into anything!'

I can wire anything directly into anything!

This is the first in a series of blogs that will explore how to integrate some of these tools with PrivateStorage. But for now let's start with setting up SFTP access.

A word of warning: we'll be copying Tahoe-LAFS capability strings around. These include keys to your data on the PrivateStorage grid and must be kept secret. We've reworked this tutorial to make sure no capabilities are exposed during the process. For example, we avoid copying them to the clipboard, or opening them in editors. I'll repeat:

Attention: Capabilities must be kept secret as they include e2e encryption keys. Anyone with your root capability can read and write all your files on PrivateStorage!

This walk-through has commands for Windows 10 and 11 and we tested it with PrivateStorage Desktop 23.5.1. You may find that these commands are adaptable to other operating systems as well. Please see the addendum the corresponding Linux commands.

Download, install and set up PrivateStorage Desktop.
- This requires purchasing at least 1 x StorageTime or having a voucher code.
- Make sure PrivateStorageDesktop is running for the next steps.
Create two RSA key pairs, one for the server (the host key) and one for the client (your user).
- We'll be using a Windows PowerShell terminal window, working from your home directory. You can use the same terminal session for all steps of this tutorial.
- Some of the configuration needs a user name. I'll use the current local user name (${env:USERNAME} in PowerShell, which expands (substitutes) to fs-la for me), but you can replace that with something else as long as you do that consistently.
- The SSH host key (ssh_host_rsa_key) must have an empty passphrase. The user key can also have an empty passphrase.
- In the terminal window, issue the commands:
```
ssh-keygen -t rsa -b 2048 -f AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_host_rsa_key
ssh-keygen -t rsa -b 2048 -f AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_${env:USERNAME}_rsa_key
```
Many client programs will only accept a private SSH key when you restrict access to the file. The following PowerShell command limits access to the private SSH keys (it's the equivalent of chmod 600 in many other operating systems):
- /inheritance:r removes inherited permissions
- /grant:r grants specific permissions (replacing any existing)
- :R,W read and write permissions
```
icacls AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_host_rsa_key /inheritance:r /grant:r "${env:USERNAME}:(R,W)"
icacls AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_${env:USERNAME}_rsa_key /inheritance:r /grant:r "${env:USERNAME}:(R,W)"
```
Here's how this should look in the Windows "File properties" GUI:
Create a Tahoe-LAFS accounts file with an account granting access to a subdirectory of your rootcap.
- See the Tahoe-LAFS documentation on creating the accounts file for more information.
- We'll call the file accounts as suggested in the Tahoe-LAFS documentation. It has one account per line, in four fields each, separated by spaces:
```
<username> ssh-rsa <pubkey> <dircap>
```
- This PowerShell command creates a folder called sftp-root in your rootcap and generates the accounts file for you:
```
"${env:USERNAME} ssh-rsa $((Get-Content AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_${env:USERNAME}_rsa_key.pub).Split()[1]) $(AppData\Local\Programs\PrivateStorage\PrivateStorage-tahoe.exe -d AppData\Roaming\PrivateStorage\PrivateStorage\ mkdir --dir-cap=$(Get-Content AppData\Roaming\PrivateStorage\PrivateStorage\private\rootcap) sftp-root)" | Out-File AppData\Roaming\PrivateStorage\PrivateStorage\private\accounts -encoding ASCII
```
- This should take a second or so to create the directory and then return to a new prompt (no text is printed). You can check the exit code:
```
$LASTEXITCODE
```
  This should return '0' (indicating success).
- Checking the size of the file should return approximately 477 bytes, with slight variations depending on the length of your username.
```
ls -l AppData\Roaming\PrivateStorage\PrivateStorage\private\accounts
```
- Should this tutorial not work for you and you need to debug, check if the output of the command looks like the following.
```
fs-la ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhEhngBgFxwj4EA7h84GasnZPXdsl+j50BkffgYFmpC59R2odEpEb5Z570W+VlDR/IcXH4OyPRpT7KVc/zjGGxvGQ1VqYPn5KWqNbEnTT/QOhtBDnFk8eyvckqndVkOCcutozrcp4wTSalFEIJ94h21Cq5ByN06GLubLzGr760JDqs4ON/nUwJb02p7yJ0YRn8ODbbYN5xC44j5/D+b0rBFJ2bwBS2DNzsOoZuDFXy0KMPaRAuJzNOF1VpGsORQ6YeW76xmkJB3eiDrNKfPl1Gg9lbkR62zDD6AaE1K+E8sMP2Cl/OZFdrgcWctMc3JB6gXkK7qQVfUnHJKt8kkmWh URI:DIR2:vbqt0f5t89xq2vlymp5jw7jxa1:4zu01tizwz6e96x3n79q7scwgxq99hfxw916nfp18x4vp5rad509
```
  After doing so, since you opened and displayed the file, consider the current alias as burnt. Run the last command above again with a different directory than sftp-root - for example sftp-root-2 - to be safe.
Add an SFTP Frontend configuration block to the bottom of your Tahoe-LAFS configuration file. This lets Tahoe-LAFS know to enable SFTP support using the settings you’ve just prepared.

Notepad (notepad.exe) is mentioned because it’s built into Windows, but feel free to use a more powerful editor if you have one — it’ll make the process easier.
```
notepad AppData\Roaming\PrivateStorage\PrivateStorage\tahoe.cfg
```
Copy the following to your clipboard and paste it to the end of the file:
```
[sftpd]
enabled = true
port = tcp:8022:interface=127.0.0.1
host_pubkey_file = private/ssh_host_rsa_key.pub
host_privkey_file = private/ssh_host_rsa_key
accounts.file = private/accounts
```
Restart PrivateStorageDesktop. Clicking PrivateStorage Desktop's [X] button in the upper right corner of the window won't fully shut it down: Instead, select Quit PrivateStorage from the menu that appears when you click the gear icon in the lower-right corner of the PrivateStorage application, or when right-clicking on the PrivateStorage task bar icon.
Test the local Tahoe-LAFS SFTP server: In the terminal, adapt to your username and issue:
```
sftp -i AppData\Roaming\PrivateStorage\PrivateStorage\private\ssh_${env:USERNAME}_rsa_key -P 8022 ${env:USERNAME}@localhost
```
It should successfully connect and allow you to upload files.

You should now have an SFTP server running on localhost port 8022 that you can access with sftp (the command line utility I used for testing) or something a bit more feature-rich like Cyberduck.

Congratulations!

This is an advanced topic and tutorial, don't be too disappointed if it doesn't work right away.

We are ready to help if needed. If you get stuck, please contact us at support@private.storage.

A screenshot showing Cyberduck under Windows with a bookmark for the local PrivateStorage Tahoe-LAFS SFTP server.

Appendix: Commands for Linux

Commands tested with Ubuntu Linux 22.04 LTS (like above assuming your working directory is your $HOME):

# Run PrivateStorage Desktop.
./PrivateStorage-Linux.AppImage &

# Create SSH keys
ssh-keygen -t rsa -b 2048 -f .config/privatestorage/PrivateStorage/private/ssh_host_rsa_key
ssh-keygen -t rsa -b 2048 -f .config/privatestorage/PrivateStorage/private/ssh_${USER}_rsa_key

# Extract AppImage so we can use its tahoe program in the next step.
./PrivateStorage-Linux.AppImage --appimage-extract

# Create accounts file.  This should not return anything (especially: no error).
echo "${USER} ssh-rsa $(cut -d' ' -f2 .config/privatestorage/PrivateStorage/private/ssh_${USER}_rsa_key.pub) $(./squashfs-root/usr/bin/PrivateStorage-tahoe -d .config/privatestorage/PrivateStorage/ mkdir --dir-cap=$(cat .config/privatestorage/PrivateStorage/private/rootcap) sftp-root)" > .config/privatestorage/PrivateStorage/private/accounts

# Add the sftpd config from step 5 above to tahoe.cfg:
vi .config/privatestorage/PrivateStorage/tahoe.cfg

# You can remove the extracted AppImage afterwards:
rm -r squashfs-root

# Restart PrivateStorage, and the SFTP server should be up and running.
pkill privatestorage
./PrivateStorage-Linux.AppImage

# Example command to connect to the local SFTP server:
sftp -i .config/privatestorage/PrivateStorage/private/ssh_${USER}_rsa_key -P 8022 localhost