How to set up sFTP for using Certificate Authentication on Linux

These instructions apply to users who are receiving their statements via sFTP. If you elected to receive your statements via sFTP, you would first need to generate an RSA Key pair.

There are many Linux distributions and there are multiple methods to access the IBKR sFTP server. sFTP clients such as Filezilla can be used. In this article we explain how to realize the connection to the IBKR FTP server using Ubuntu Linux and Filezilla.

 

  • How to generate an RSA Key pair

1. On your Linux machine, click on the Applications icon in the bottom left corner of you screen.

2. In the search box, type terminal and then click on the Terminal icon in the search results.
 
3. In the Terminal window, type sudo apt-get install filezilla putty-tools in order to install the required software. Enter your sudo password when requested.


4. Once the software installation is complete, type puttygen -t rsa -b 2048 -o privatekey.ppk in order to generate the RSA Key pair.
You will be asked to enter a passphrase and type it again to confirm.
PLEASE NOTE: Keeping a secure copy of this password is essential. Any loss of this password will require the whole process to be repeated.
 
5. Type puttygen -L privatekey.ppk -o public.key in order to export the public part of the Key pair to the file public.key


6. Click on the Applications icon in the bottom left corner of your screen.
 
7. In the search box, type FileZilla and then click on the FileZilla icon in the search results.

8. Click on the FileZilla top menu File -> Site Manager...
 
9. In the Site Manager window, click on the button New site to create a new connection.
 
10. In the right panel (called General):
  • Select SFTP - SSH File Transfer Protocol as Protocol
  • Enter xfer.interactivebrokers.com in the Host field
  • Enter 32 in the Port field
  • Select Key file as Logon Type
  • Enter the username provided to you by Interactive Brokers in the User field
 
11. Click on Browse next to the Key file field.
 
12. Move to the folder where your Key pair was created (normally your user folder: /users/yourusername/). Select the file privatekey.ppk and click on the Open button. This will set it as the Key file in your connection parameters.
 
13. Click on Rename and select a name of your preference for this connection (e.g. IBKR sFTP). Press Enter to confirm the name.
 
14. Click on OK to save your connection parameters.
 
15. Click on the folder icon on the left hand toolbar of your Desktop. This will launch the File application.
 
16. Move to the folder where you saved your Key pair (normally your user folder: /users/yourusername/). Right click on the file public.key and select Send to...
The file will be attached to an empty email. Send the email to the Reporting Integration Team, as per IBKB3842.
Important Note: do NOT send us your private key. Send us only your public one

 

  • How to connect to our sFTP Server

Once IBKR has configured the parameters for your connection on our servers, you will be notified. After that, you will be able to access your sFTP repository by using the Site connection you have created in FileZilla. In case you have not yet set up a Site connection, please follow the steps from 6. to 14. which are a prerequisite to the below steps:

1. Click on the Applications icon in the bottom left corner of you screen.
 
2. In the search box, type FileZilla and then click on the FileZilla icon in the search results.
 
3. On the FileZilla top toolbar, click the down arrow icon and select the Site connection you previously created (e.g. IBKR sFTP)
 
4. FileZilla will now establish a connection to our sFTP Server and show the files present in your repository.

 

Common issues and solutions

A. The Login Credentials Provided are Incorrect
  1. Ensure the correct login details are being used to connect to the sFTP server. The username and password you are entering should match the ones you have received from the Reporting Integration Team.
  2. Confirm you have configured your sFTP Client to use the Private Key file for the logon authentication (see steps 9. and 10. of the above procedure.)
B. Server Refused Our Key
  1. Try accessing the sFTP server using a different Client (CyberDuck, ect.)
  2. Ensure the Private Key file being used to Authenticate the server login attempt is related to the Public Key you originally sent to the Reporting Integration Team.
  3. Should the above checks be unable to resolve the issue, please generate a new RSA Public/Private Key pair and send only the Public part to the Reporting Integration Team, as per IBKB3842.
C. Connection Timed Out
  1. In case you have an antivirus or a security software installed on your machine, make sure it is not blocking the FTP connection attempt. Normally, security software allows to set up exceptions for specific connections in order to whitelist them.
  2. Verify that the public IP Address of the machine running the sFTP client, is the same you have originally provided to the Reporting Integration Team for being whitelisted. You can discover your public IP Address by searching the Internet for “what is my IP”. If your current IP Address is not the same you provided to us, please send it to our Reporting Integration Team for being whitelisted.
  3. Ask your network administrator/s to confirm that your firewall allows both incoming and outgoing traffic from/to xfer.interactivebrokers.com on port TCP 32.
  4. Should the above steps be unable to resolve the issue, please generate a new RSA Public/Private Key pair and send only the new Public part to our Reporting Integration Team, as per IBKB3842.

 

References

KB3968 - Generate a key pair using GPG for Windows
KB4205 - Generate a key pair using GPG Suite on macOS
KB4108 - Decrypt your Reports using GPG for Windows
KB4210 - Decrypting Reports using your PGP Key pair on macOS
KB4407 - Generate RSA Key Pair on Windows
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another

 

活動報表上的應計利息轉回項目代表什麼?

Overview: 

IBKR每日都會在活動報表的應計利息部分,對報表期間預期或應計賺取或將支付的利息進行計算和報告。大約在每個月的第一周,上個月的應計利息會被〝返還〞或轉回,而當月的實際利息會在現金報告板塊發佈。應計利息的轉回操作每月進行一次,調整後應接近實際利息,但它們可能並不總是完全相同,因為應計額是對實際利息的預測。 

賬戶持有人還應注意,報告期內的應計利息需超過1美元(正數或負數)才會顯示出來。低於1 美元的餘額會作保存,當加上未來應計利息後金額超過 1美元時將予顯示。

賣空股票收入的貸方利息

Overview: 

如何確定與股票借入倉位相關的貸方利息或費用

Background: 

賬戶持有人賣空股票時,IBKR會代賬戶持有人借入相應數量的股票,以履行向買方交付股票的義務。根據借入股票的股票借貸協議,IBKR需向股票出借方提供現金抵押品。現金抵押品的金額基于股票價值的行業標準計算,稱爲抵押品標記

股票出借方就現金抵押品向IBKR提供利息,利率通常會低于現金抵押存款的現行市場利率(通常與美元計價現金存款的聯邦基金有效利率挂鈎),其中的差額即作爲出借方提供此服務收取的費用。對于難以借入的股票,出借方所收取的費用會相應提高,可能會導致淨利率變爲負,IBKR反而被倒扣費用。

許多經紀商只會向機構客戶提供部分利息返還,但所有IBKR客戶其賣空股票收入超出10萬美元或等值其它貨幣的部分都可以獲得利息。當某證券可供借用的供應量高于借用需求時,賬戶持有人可就其賣空股票餘額獲得的利息利率相當于基準利率(例如,美元餘額采用聯邦基金有效隔夜利率)减去一個利差(目前介于1.25%(10萬美元檔的餘額)至0.25%(300萬美元以上的餘額)之間)。利率可能會在無事先通知的情况下發生變化。

當某特定證券的供求不平衡導致其難以借入時,借出方提供的利息返還將會减少,甚至可能導致向賬戶倒扣費用。該等利息返還或倒扣費用會以更高的借券費用的形式轉嫁給賬戶持有人,這可能會超過賣空收入所得的利息,導致賬戶最終算下來還付出了費用。由于利率因證券和日期而异,IBKR建議客戶通過客戶端/賬戶管理中的支持部分,訪問〝可供賣空股票〞工具,查看賣空的指示性利率。請注意,該等工具中反映的指示性利率對應的是IBKR向第三等級餘額支付的賣空收入利息,即賣空收入爲300萬美元或以上。對于較低的餘額,其利率將根據餘額等級和交易貨幣對應的基準利率進行調整。可使用“對賣空收益現金餘額向您支付的利息”計算器計算適用的利率。

 

請參閱證券融資(融券)頁面的更多範例和計算機。

重要提示
“可供賣空股票”工具和TWS中關于可供借用股票和指示性利率的信息,是在盡最大努力的基礎上提供,不保證其準確性或有效性。 “可供賣空股票”包括來自第三方的信息,不會實時更新。利率信息僅爲指示性質。在當前交易時段執行的交易通常在2個工作日內結算,實際供應和借入成本在結算日確定。交易者應注意,在交易和結算日之間,利率和供應可能會發生重大變化,尤其是交易稀少的股票、小盤股和即將發生公司行動(包括股息)的股票。詳情請參閱賣空的操作風險(Operational Risks of Short Selling)

非美國居民要繳納預扣稅嗎?

Overview: 

 

納稅義務相關信息根據要求上報給您居住國家以及其它國家(如果交易的産品有地方預扣稅要求)的稅務機關。除非有稅務機關明確要求,某則IBKR不會就證券交易收入扣繳稅款。根據美國稅法規定,我們對美國公司向外國人士支付的股息按30%的稅率進行扣稅。如果美國與您的所在國有稅務協定,稅率可能會有一定優惠。此外,投資利息收入沒有美國預扣稅。非美國人士和大多數實體的所有預扣稅均將在每年年末通過表格1042-S申報。更多信息,請參見美國國稅局901和/或諮詢您的稅務顧問。

爲什麽活動報表的現金報告部分反映的是證券和商品之間的內部轉帳?

根據監管要求,IBKR須將您賬戶中的證券資産和商品資産分隔開來。 這些商品資産可能包含期貨期權倉位的市場價值加上用作商品期貨和期貨期權倉位保證金的現金。 您商品倉位的保證金要求會定期重新計算,如果保證金降低,則多出來的現金便會從賬戶的商品分區轉到證券分區。 同樣,如果商品保證金要求提高,IBKR也會將資金從證券分區轉到商品分區。 由于美國證券投資者保護公司(SIPC)的保險覆蓋的是您賬戶證券分區(而非商品分區)的資産,這種定期轉帳也是爲了確保您的現金能得到最大程度的保護。 請注意,這種現金移動表示的是您賬戶中的日記帳分錄,是用來互相抵消的,因此對賬戶的總現金餘額幷沒有影響(參考活動報表現金報告的總計欄)。

Generate RSA Key Pair on Windows

These instructions apply to users who are receiving their statements via sFTP. If you elected to receive your statements via sFTP, you would first need to generate an RSA Key pair.

To generate an RSA Key pair:

1. Download WinSCP.

2. Run the installer and make sure to check PuTTYgen (key generator) as one of the components to install.

3. Start WinSCP and from the button Tools select Run PuTTYgen.


4. Once the tool PuTTYgen has been launched, click Generate. Select RSA as Type of key to generate, 2048 as Number of bits in generated key and click on the button Generate.

5. Click "Save private key" and give the file a name (like private). Leave the extension as .ppk  ('ale.ppk', in the picture below is an example filename).
Important Note: do NOT save your public key yet. Save only your private one.

6. Open WinSCP, create a new connection and:
  • Select SFTP as File protocol.
  • Enter xfer.interactivebrokers.com in the Host name field.
  • Enter 32 in the Port number field.
 
7. Click on the button Advanced.

8. In the Advanced Site Settings screen, left side menu, expand SSH and select Authentication. Click on the button ... at the end of the field Private Key file and open the private key you previously saved at point 5):

9. Click on the button Display public key:
 
10. Click on the button Copy Key.

11. Open Notepad, press CTRL+V to paste the key string (which is one string of characters without spaces) and then save the file with the name public.key in a folder of your preference:


12. Send the file you saved at the previous step to us via Message Center ticket or email as per instructions on IBKB3842
 
13. In the WinSCP Window, click on "OK" in the information pop-up showing the key, then "OK" in the Advanced Site Settings screen, then click on Save to save the new connection you have created.
 
14. Once the IBKR Sales Engineering Team has configured the parameters for your connection on our servers, you will be able to access your SFTP repository by using the connection you have created.
 
Related articles

KB3842 - Using GPG/RSA encryption keys to guarantee the privacy and security of your Reports
KB3968 - Generate a key pair using GPG for Windows
KB4205 - Generate a key pair using GPG Suite on macOS
KB4108 - Decrypt your Reports using GPG for Windows
KB4210 - Decrypting Reports using your PGP Key pair on macOS
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another 
 

Decrypting Reports Using Your PGP Key Pair on macOS

Note: This tutorial assumes you received reports via email or via FTP that were encrypted with the public key you sent to IBKR . If you need guidance to set up the encrypted statement delivery, please refer to this article, which is a prerequisite to the instructions below.

1. Open Finder

2. Right click on the .gpg file you want to decrypt

3. Select Services > OpenPGP: Decrypt File

 

Common Issues/Questions

  • Decryption failed with error 'No Secret Key'

This is commonly caused when the wrong encryption key is used to decrypt the file.  If decryption is being done on a computer other than the original computer used to create the public/private keys, the keys would have to be transferred from the original computer to the new computer

If the above does not help, then a new public/private key pair needs to be created and sent to us.

 

Related articles

KB3842 - Using GPG/RSA encryption keys to guarantee the privacy and security of your Reports
KB3968 - Generate a key pair using GPG for Windows
KB4205 - Generate a key pair using GPG Suite on macOS
KB4108 - Decrypt your Reports using GPG for Windows
KB4407 - Generate RSA Key Pair on Windows
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another 
 

Generate a Key Pair Using GPG Suite on macOS

If you elected to receive your statements in an encrypted form, you would first need to generate an RSA Key pair. To generate an RSA Key:

1. Download the GPG Suite for macOS

2. Double click on the downloaded installation file:

3. Click on Install

4. Click Continue

5. Click on Install

6. Click Install

Note: By default the installation includes an add-on for Apple Mail called GPG Mail. If you don't use Apple Mail and do not need this add-on, you can de-select it during this step.

7. Click on Close:

 

8. Launch GPGTools. The Create new key pair dialog box should automatically open. Input your Full Name, your Email and choose a Password. PLEASE NOTE: Keeping a secure copy of this password is essential. Any loss of this password will require the whole process to be repeated.
 
9. Expand Advanced options and make sure that:
  • The "Key type" drop-down is set to "RSA and RSA (default)"
  • "Length" is set to "2048"
  • The checkbox "Key will expire on" must remain NOT active

Important Note: Please be absolutely certain to set "Key type" to "RSA and RSA (default)" otherwise the key will be unusable.

 
10. Click on the button Create Key
 

11. Once the key pair is created it will be listed in your Key ring. Right click on it and select Export...

12. Choose a location to save the key pair in the Where field and make sure the checkbox Include secret key in exported file is deactivated. Click on Save.

13. You will receive a prompt indicating that the key pair was created successfully. Click on No, Thanks! to prevent uploading the public key to the PGP servers

14. Open Finder and go to the location you selected for saving the public key (at point 12).

15. Send the public key file to us via Message Center ticket or email as per instructions on IBKB3842.

 

Related articles

KB3842 - Using GPG/RSA encryption keys to guarantee the privacy and security of your Reports
KB3968 - Generate a key pair using GPG for Windows
KB4108 - Decrypt your Reports using GPG for Windows
KB4210 - Decrypting Reports using your PGP Key pair on macOS
KB4407 - Generate RSA Key Pair on Windows
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another 
 

Generate a Key Pair Using GPG for Windows

To generate a key pair using GPG for Windows:

1. Download the GPG Installer for Windows.

2. Run the installer and click Next >.

3. Make sure that the component Kleopatra is selected as one of the sub components to include in the installation and click Next >.

4. The default installation folder will be displayed. Click Install.

5. Once the installation has completed, click Next >.

6. Make sure the checkbox Run Kleopatra is active and click Finish.

7. Kleopatra will now open. Click the top menu File and select New OpenPGP Key Pair...
 
 
8. Enter your full Name and your Email address. Make sure the checkbox Protect the generated key with a passphrase is active. Click Advanced Settings...
 
 
9. Enter the following Key parameters:
  • Select RSA + RSA as Key type
  • Select 2,048 bits and 2,048 bits as Key lengths
  • Activate the checkboxes: Encryption, Certification, Signing and Authentication. The first two should be already active by default
  • Deactivate the option Valid until

Once all the parameters have been set exactly as in the image below, click OK.

 
10. You will return to the Create OpenPGP Certificate window. Click OK.
 
 
11. You will be asked to enter a passphrase and type it again in the field Repeat: to confirm you made no typing errors. Once done, click OK. PLEASE NOTE: Keeping a secure copy of this password is essential. Any loss of this password will require the whole process to be repeated.
 
 
12. A pop-up will confirm the Key Pair has been successfully created. Click OK.
 
 
13. in the All Certificates panel, right-click on the newly created certificate and select Export...
 
 
14. Navigate to the directory where you want to save your the public portion of your key (e.g. Desktop). Choose a name such as publickey.asc and click Save.
 
 
15. Open the Windows File Explorer and navigate to the directory where you saved the key. You will find the public.asc file ready to be sent to us via Message Center ticket or email as per instructions in IBKB3842:
 
 

16. Although this is not strictly needed, we strongly recommend you to perform a backup of your Key Pair, following the steps in KB4411. This backup copy of the certificates can be imported again in Kleopatra in case the original set becomes corrupted or accidentally deleted.

 
References

KB3842 - Using GPG/RSA encryption keys to guarantee the privacy and security of your Reports
KB4205 - Generate a key pair using GPG Suite on macOS
KB4108 - Decrypt your Reports using GPG for Windows
KB4210 - Decrypting Reports using your PGP Key pair on macOS
KB4407 - Generate RSA Key Pair on Windows
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another 
 

 

 

Using GPG/RSA Encryption Keys to Guarantee the Privacy and Security of Your Reports

Background: 

In order to ensure the privacy and security of your Reports and Statements, IBKR offers the following file delivery options:

A. sFTP (Secure FTP) - Recommended solution

  • We can send you Reports using the sFTP (Secure FTP) protocol on non-standard TCP port 32.
  • sFTP is a network protocol that utilizes SSH (Secure Shell) for the transfer, management, and access of files through an encrypted data stream.
  • Key based authentication is required. You will authenticate against our sFTP server through a unique RSA - 2048-bit public/private key pair, generated directly by you. We will use only your public key as authentication method for our sFTP server. Since the two keys are mathematically linked, only the private key holder (you) will be able to access the data.
  • PGP encryption1 is optional.

B. Email with PGP (Pretty Good Privacy) Encryption

  • We can encrypt your Reports using PGP (Pretty Good Privacy) certificates and send you those reports via email.
  • PGP encryption1 is optional but recommended. If you opt to receive your Reports via email without encryption, any account sensitive data will be masked.

C. Plain FTP with PGP (Pretty Good Privacy) Encryption

  • We can send you Reports using the regular FTP protocol on standard TCP port 21.
  • PGP encryption1 is required. We can encrypt your Reports using PGP (Pretty Good Privacy) certificates.

Note 1: PGP encryption is based on a private/public key pair, which is unique and generated directly by you. We will use only your public key to encrypt your Reports. Since the two keys are mathematically linked, only the private key holder (you) will be able to decrypt the files.

 

To start the process, please select one of the options below according to the way you wish to access your Reports:

 

 

A. I Want to Receive my Reports via Secure FTP (sFTP)

When electing to receive your Reports through the IBKR hosted sFTP, please follow the steps below:

1) Install a FTP application. There are many free FTP application suites that can be used, like FileZilla or WinSCP.

2) Generate a public/private RSA key pair. Please follow the procedure below according to the Operating System you use:

3) Open a Web Ticket (via Client Portal -> Help -> Support Center) as follows:

  • Write "Attn. Reporting Integration Team" in the subject.
  • Write a short request for a IBKR hosted plain FTP in the message body
  • Write the IP Address(es) your connection will originate from in the message body
  • Paste the content (the alphanumeric string) of your RSA public key file in the message body

Alternatively, you can provide these same elements listed above via email to the Reporting Integration Team. Include the last 4 digits of your IBKR Account number in the email subject.

Note: We will not accept your public key if you have included as well your private key. Please be sure to send us only the public part of the key pair.

4) IBKR will notify you within 1-2 business days, once your sFTP site has been set up.

5) Set your RSA key pair as authentication method for your sFTP client. Please follow the procedure below according to the Operating System you use:

 

B. I Want to Receive my Reports via Email with PGP Encryption

When electing to receive emails that contain encrypted data from IBKR, please follow the steps below:

1) Generate a PGP key pair in order to decrypt the files. Please follow the procedure below according to the Operating System you use:

2) Open a Web Ticket (via Client Portal -> Help -> Support Center) as follows:
  • Write "Attn. Reporting Integration Team" in the subject
  • Paste the content (the alphanumeric string) of your PGP public key file in the message body
Alternatively, you can send an email to the Reporting Integration Team. Include the last 4 digits of your IBKR Account number in the email subject and attach your PGP public key.

Note: We will not accept your public key if you have included as well your private key. Please be sure to send us only the public part of the key pair.

3) IBKR will notify you once your public key was imported on our systems. You will then enable the encryption for email file delivery from your Client Portal.

4) Use your key pair to decrypt the emails with the encrypted attachment/s. Please follow the procedure below according to the Operating System you use:

 

C. I Want to Receive my Reports via FTP with PGP Encryption

When electing to receive your Reports through the IBKR hosted sFTP, please follow the steps below:

1) Generate a PGP key pair in order to decrypt the files. Please follow the procedure below according to the Operating System you use:

2) Open a Web Ticket (via Client Portal -> Help -> Support Center) as follows:
  • Write "Attn. Reporting Integration Team" in the subject
  • Write a short request for a IBKR hosted plain FTP in the message body
  • Paste the content (the alphanumeric string) of your PGP public key file in the message body

Alternatively, you can provide these same elements listed above via email to the Reporting Integration Team. Include the last 4 digits of your IBKR Account number in the email subject.

Note: We will not accept your public key if you have included as well your private key. Please be sure to send us only the public part of the key pair.

3) IBKR will notify you once your public key has been imported on our systems. You will then enable the encryption for FTP file delivery from your Client Portal.

4) Access our FTP site and use your PGP key pair to decrypt the files you receive. Please follow the procedure below according to the Operating System you use:

 

Additional procedures

 

References

KB3968 - Generate a key pair using GPG for Windows
KB4205 - Generate a key pair using GPG Suite on macOS
KB4108 - Decrypt your Reports using GPG for Windows
KB4210 - Decrypting Reports using your PGP Key pair on macOS
KB4407 - Generate RSA Key Pair on Windows
KB4819 - How to set up sFTP for using Certificate Authentication on Linux
KB4578 - How to Access your Reports using FTP on Windows
KB4580 - How to Access your Reports using FTP on MacOS
KB4409 - How to set up sFTP for using Certificate Authentication on Windows
KB4410 - How to set up sFTP for using Certificate Authentication on macOS
KB4411 - How to backup your public/private Key pair 
KB4323 - How to transfer your public/private key pair from one computer to another 

 

Syndicate content