sftp-jailer
Back to docs

Migration

Migration guide

Use learning mode to observe existing SFTP access before enforcing tighter source boundaries. The migration path is designed for operators who need to preserve working integrations while moving toward reviewed per-user access.

Rollout flow

  1. Observe current access. Run learning mode long enough to capture observed source IPs for active integrations.
  2. Review identities. Compare observed source IPs with users and SSH keys so each integration has an accountable owner and key path.
  3. Approve allowlists. Convert the reviewed observations into Reviewed per-user source IP allowlists.
  4. Enforce boundaries. Enable firewall rule enforcement from the reviewed allowlists so future SFTP access is constrained by user and source address.

What to review before enforcement

Treat learning mode output as evidence to review, not as an automatic policy. Confirm each source IP with the owning team, remove stale users and SSH keys, and keep a record of why each address belongs on a user allowlist.

Enforcement should begin only after the allowlists reflect known integrations. Once enabled, firewall rules should follow those reviewed per-user source IP allowlists rather than broad network assumptions.

Platform note

Keep migration testing aligned with the current platform scope: Ubuntu 24.04 LTS and Debian 13 (Trixie).