bmuzzy wrote:

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...

I do not agree. Had WinSCP allowed password obfuscation in a script, it would give a script author a false perception of being safe. While this way, it's clear he/she needs to keep the script safe.

>>That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

Perhaps, but it's a lot better than plain text on an "open" command in a batch file...

bmuzzy wrote:

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line

It is not possible to securely encrypt passwords in a way that still allows for automatic use.
That true even for password format WinSCP uses in INI file. It's not really secure. It's just a kind of obfuscation.

bmuzzy wrote:

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

But that's for winscp.exe <session_url> only. You are not doing this. You are using open command.

Oh wait, I just realized that WinSCP already does exactly this! I saved a session to winscp.ini and it includes:

[Sessions\[email protected]]
[email protected]
PortNumber=990
UserName=user
FSProtocol=5
LocalDirectory=C:%5C
RemoteDirectory=/
Ftps=1
Password=A35C7B54F34BB2B0D6D443443E30313A282C2F3D723433292F35323B723E392E373930392572393829332C39322F392F3D3139

However I just read in the documentation "For security reasons, when protocol (such as sftp://) is provided as part of session URL (possible execution from web browser/Windows Explorer), all command-like parameters that cause any automatic action are ignored, including /defaults, /log, /script and /command. "

In my case, I want to use WinSCP as part of a SQL Server Agent Job. The security risk is minimal because of the restricted access to the SQL server. Having WinSCP read the password from winscp.ini would be preferable to having to pass it in clear text on the command line.

Does that make sense?
Thanks!

The password could be stored in encrypted format in a file. The open command would reference a variable like $pwd01 that would fetch the password from the file, decrypt it and pass it to the command line, e.g.;
open ftps://user:$pwd01@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

How would you image this?
I'm not aware of any way to protect a password (or any other piece of information), yet be able to automatically use it.

I want to schedule FTPS transfers without having to put a password in clear text in the script file, e.g.;
open ftps://user:password@ftpsa.mydomain.com -implicit -certificate="01:fe:1c:7e:ae:a0:2e:9a:40:b0:8b:1d:ba:88:16:c2:92:71:a7:2b"

What are the options for password security with FTPS and the portable command line version of WinSCP? Preferences>Security isn't available with the portable version apparently, so using a Master Password isn't an option.

Thanks!