Making FileZilla FTP Client's passwords more secure with TrueCrypt

Note: TrueCrypt was discontinued in 2014 due to security vulnerabilities. See this page for a list of alternatives. The concept is still the same.

For years I've used the FileZilla FTP client to transfer client files because it's free, reliable, and easy to use.  Everything was great until I recently learned that malware exists that targets this trusty tool's configuration files.  FileZilla stores FTP passwords in plain text, and the malware authors exploit this fact to spread their evil payloads via unsuspecting web developers like myself.

I researched forums, bug reports, and settings files for a few weeks, and wasn't able to find an easy solution.  I did finally see one possibility - use an open source encryption tool called TrueCrypt and the portable version of FileZilla to create an encrypted volumen containing the entire application and settings.  This seemed like a great idea, but required extra several steps each time you wanted to use FileZilla.  Additionally, while the encrypted volume was mounted, it could be accessed just like any other disk.  So you would need to manually unmount your encrypted volume after each use or malware could find the settings.

I wanted something better.  Ideally, I wanted to be prompted for a password every time I started FileZilla, and that password would temporarily decrypt the settings file.  After some experimentation, I came up with a recipe to do just that, which I'll detail below.  This tutorial is written for the Windows operating system, but could be adapted for Linux or Mac OS fairly easily.

Download requisite files

Create an encrypted volume file

I created a 20MB password-protected volume, located in "C:\Program Files\FileZilla Secure\", with the filename "encrypted".

Mount the new encrypted volume as a drive letter using the TrueCrypt UI

Select the volume file created above and assign a drive letter.  I chose to mount my volume as drive letter X.  If you change this, be sure and replace X in the scripts below with your choice. Once mounted, you should see an empty 20MB disk at the drive letter of your choice.

Install FileZilla portable to the encrypted volume

In my example, my encrypted volume is mounted at drive letter X, and I installed to a folder called "X:\FileZilla Secure".

Export, then import your site manager settings into the portable installation

This will bring in all of your sites and settings to the installation of FileZilla Portable on drive X.  Import and Export is found in the "File" menu.

Unmount the encrypted volume

Use the TrueCrypt UI to unmount drive letter X.  We will later remount automatically from a script.

Mount, launch, wait, unmount, exit script

Create the following Windows CMD script:

@echo off
cd "c:\Program Files\FileZilla Secure\"
"c:\Program Files\TrueCrypt\TrueCrypt.exe" encrypted /letter x /quit
cd "FileZilla Portable\"
start /WAIT FileZillaPortable.exe
"c:\Program Files\TrueCrypt\TrueCrypt.exe" /force /dismount x /quit

This script mounts the encrypted volume, which prompts for a password.  Then it launches FileZilla Portable and waits. When you close FileZilla Portable, the script resumes, and the encrypted volume is unmounted, making the encrypted config file inaccessable.  The script then exits.

Create a VBScript launcher script (optional)

This nifty script will launch the above CMD script without a visible window, so your taskbar is not crowded.

Set WshShell = CreateObject("WScript.Shell")
cmds=WshShell.RUN("filezilla.cmd", 0, True)
Set WshShell = Nothing 

Create a shortcut to make it look pretty (optional)

Create a shortcut to the above script (either one) and rename it to "FileZilla FTP Client", then select the FileZilla icon.  Now your shortcut functions and looks just like FileZilla, but is password-protected by the CMD script.

Uninstall your original FileZilla installation

This ensures that an unencrypted config file is not readable, unless you are FileZilla Portable is running from your handy shortcut.

Verify that your unencrypted FileZilla settings are removed

On my Windows 7 machine, the uninstaller did not do this.  The FileZilla FAQ says this:

  • Where does FileZilla store all its sites and settings?
    The location of FileZilla's settings directory depends on your operating system. On most systems, sites and settings are stored in the ~/.filezilla directory. The odd exception is Windows, where the settings are stored in the %APPDATA%/FileZilla directory. 

I found them at C:\Users\<my user>\AppData\Roaming\FileZilla