A. Install OpenSSH Server on Windows

1. Login with an account that has local administrative permissions. This can be a domain account or a local account.
2. Click on the Start menu, search for Manage optional features and open it (in Windows 11 search for Optional features).
3. Click on Add a feature (in Windows 11 click on Add an optional feature). 
4. Search for OpenSSH Server and install it.
5. Open the Services app and start OpenSSH SSH Server.
6. Set OpenSSH SSH Server to start automatically.
7. Create a folder in which to store the PGP Encryption Server backup files. For example, c:\backup. If there are additional local drives available, you can create a backup folder in one of those drives. For example, e:\backup. Note that drive letters mapped to shared network folders cannot be used.
8. Change the default Command Shell used by OpenSSH Server to PowerShell from the default of the Windows Command shell. This change is necessary because PowerShell supports Linux bash commands such as ls and rm. Open PowerShell as Administrator and run the following command:

   New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

C. Import the public key to the Windows machine running OpenSSH Server

• Rename the backup-ssh-key.pub file administrators_authorized_keys (note there is no filename extension).
• Copy the administrators_authorized_keys file to the folder C:\ProgramData\ssh (you will need administrator permissions).
• Set the correct permissions on the file (only Administrators and System have Full Control). To do this, open a command prompt with administrative permissions and enter the following command:

icacls "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"

D. Modify the PowerShell ls Alias

Although PowerShell has a built-in alias for the bash ls command, it returns multi-column output whereas the Linux bash ls command only returns file names. This makes it incompatible with the PGP Encryption Server backup process. Therefore, the PowerShell ls alias needs to be modified. To do this, create a PowerShell profile that overrides the standard ls alias:

• Create the folder C:\Users\user1\Documents\WindowsPowerShell where user1 is the username specified in the Backup Location page of PGP Encryption Server.
• In the above folder, create a text file called Microsoft.PowerShell_profile.ps1 containing the following two lines:

Function lsNameOnly {Get-ChildItem -Path $Args[0] -Name}
Set-Alias -Name ls -Value lsNameOnly -Option AllScope

• By default, users do not have permission to execute PowerShell scripts, including the Microsoft.PowerShell_profile.ps1 script. Therefore, open PowerShell and run the following command to allow the profile script to be run by the backup user:

E. Run a Test Backup

1. Login to the PGP Encryption Server administrative console.
2. Navigate to System / Backups.
3. Click on the Backup Now button.
4. Optionally provide a backup name, then click the Backup button.
5. Check that the backup file exists in the specified backup folder on the Windows machine.
6. Check that the details of the backup are listed under System / Backups.
7. Delete the backup from System / Backups to check that this functionality is working correctly.

F. Use a Standard Windows Account

If you do not wish to use a Windows account with local administrator permissions, you can use a standard user account (either a local or domain account):

1. Login to Windows with the standard user account. This is necessary for the user folder to be created in the C:\Users directory.
2. Open File Explorer and navigate to C:\Users\username where username is the Windows login name.
3. Create the folder .ssh (note the leading . in the folder name).
4. Copy the backup-ssh-key.pub file containing the public SSH key into the .ssh folder.
5. Rename the backup-ssh-key.pub file authorized_keys (note no file extension).
6. Create a Microsoft.PowerShell_profile.ps1 PowerShell profile using the steps from section D above.
7. Give the user permission to execute the PowerShell profile using the steps from section D above.
8. In the PGP Encryption Server use the user name of the standard Windows user as the Username in the Backup Location settings.
9. Check that either the user or Authenticated Users has read, write and modify permissions for the backup folder.

G. Use SCP Password Authentication

If you do not wish to create keys for authentication, you can use SCP Password Authentication. Best practice is to use a standard user account (either a local or domain account) rather than a local admin account:

1. Login to Windows with the standard user account. 
2. Create a Microsoft.PowerShell_profile.ps1 PowerShell profile file using the steps from section D above.
3. Give the user permission to run the PowerShell profile using the steps from section D above.
4. Login to the PGP Encryption Server administrative console.
5. Navigate to System / Backups.
6. Click on the Backup Location button.
7. Select the option Save backups to a remote location.
8. From the Protocol dropdown list, select SCP Password Authentication.
9. Enter the IP address or hostname of the Windows machine.
10. In the Directory field, enter the Windows backup directory. For example, c:\backup
11. In the Username field, enter the Windows username of a standard local or domain account. If it is a domain account, use the format domain\user.
12. In the Passphrase field, enter the password of the account.
13. Optionally, enter a name in the Backup Name field. All backups will begin with this name.
14. Click Save.
15. Check that either the user or Authenticated Users has read, write and modify permissions for the backup folder.