# SFTP

```{warning}
SFTP is **not** suitable for Tier 2+ data.
```

The {ref}`role_project_team`'s chosen [DPR](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/data_provider_representative/index.html) may wish to carry out the data transfer to the TRE from a remote server and want to  use SFTP for this. An additional intermediary storage account can be set up in Azure to enable this.

1. Open the Azure Portal and set up an SFTP enabled storage account called `<SHM ID><SRE ID>datasftp` or something similar in the same subscription as the storage account used by the TRE, which should be called `<SHM ID><SRE ID>data<hash>` (see screenshots below for help)
    - The current production subscription is called `[Prod] Safe Haven Management V4` *Last edited 2023/05/26*
    - Choose `UK South` as the region and create a temporary resource group
2. In the new storage account, open the `Networking` tab, add the DPR's IP address under `Firewall` and hit `Save`
3. Create a container in the storage account with `write` and `list` permissions called `ingress`
4. Click `SFTP`, then `Add a local user` and create a user called `sftpuser` or similar with a password
    - Have a secure email draft open to paste the password into
5. Send the password and SFTP connection string to the DPR via secure email
    - Connection string: `<SHM ID><SRE ID>datasftp.ingress.sftpuser@<SHM ID><SRE ID>datasftp.blob.core.windows.net`
6. Send them [this guide](https://www.digitalocean.com/community/tutorials/how-to-use-sftp-to-securely-transfer-files-with-a-remote-server) on how to upload if needed
    - e.g. they can do `sftp <conn string>`
7. Once the DPR has uploaded the data, use Azure Storage Explorer to transfer the data to the TRE storage account's ingress container called `<SHM ID><SRE ID>data<hash>`
    - This can be done with a simple copy and paste in ASE if you are authenticated
8. Once all the data is transferred to the TRE storage account, delete the temporary SFTP storage account

<details>
<summary>
SFTP storage account setup screenshots
</summary>

## Storage account

```{image} ../img/SFTP/storage_account.png
:alt: Storage account
:align: center
```

## Enable SFTP

```{image} ../img/SFTP/enable_sftp.png
:alt: Enable SFTP
:align: center
```

## Container permissions

```{image} ../img/SFTP/container_permissions.png
:alt: Container permissions
:align: center
```

## SFTP user

```{image} ../img/SFTP/sftpuser.png
:alt: SFTP user
:align: center
```

</details>