SFTP is a secure network protocol for trans­fer­ring, managing, and storing files over encrypted con­nec­tions. It is based on the SSH protocol and protects data from unau­tho­rized access during trans­mis­sion. Unlike tra­di­tion­al FTP, SFTP ensures fully encrypted com­mu­ni­ca­tion.

Dedicated Servers
Per­for­mance through in­no­va­tion
  • Dedicated en­ter­prise hardware
  • Con­fig­urable hardware equipment
  • ISO-certified data centers

What is SFTP?

SFTP stands for SSH or Secure File Transfer Protocol (FTP) and is a secure method for trans­fer­ring files over the internet or a local network. It is based on the SSH trans­mis­sion protocol, the Secure Shell. This protocol ensures secure au­then­ti­ca­tion of com­mu­ni­ca­tion partners, pro­tect­ing both the trans­mit­ted data and access cre­den­tials from unau­tho­rized access. Unlike tra­di­tion­al FTP, where data is sent in plain text, SFTP ensures that all in­for­ma­tion is encrypted during trans­mis­sion.

SFTP is used wherever sensitive data needs to be trans­ferred securely, such as in the following cases:

  • Exchange of files between servers
  • Backups of websites
  • Man­age­ment of web hosting projects

Users can access their server via an SFTP program to upload, download, rename, or delete files. Since SFTP operates over port 22, which SSH also uses, no separate firewall con­fig­u­ra­tion is necessary. Ad­di­tion­al­ly, the protocol supports modern au­then­ti­ca­tion methods like SSH keys, which provide even greater security than simple passwords.

Image: ION_US_DG-VPS_960x320.png
Image: ION_US_DG-VPS_1200x1200.png

How does SFTP work?

To establish a working con­nec­tion with the SSH File Transfer Protocol, an SSH login on the host’s server is required. This provides the access data for the SFTP user: server address, username, and password. These details are entered into the (S)FTP program used by the client. During the initial con­nec­tion, the key is displayed for ver­i­fi­ca­tion and saved in the FTP program for future sessions. This allows the client to au­then­ti­cate with the server each time a con­nec­tion is made. If an unau­tho­rized party—or a hacker—tries to connect without the correct key, the com­mu­ni­ca­tion is im­me­di­ate­ly ter­mi­nat­ed.

Image: Schematic representation of SFTP data transfer
With bidi­rec­tion­al en­cryp­tion, data flows through the SSH tunnel with the SSH File Transfer Protocol.

Between the client and server — and along the return path — an SSH tunnel is es­tab­lished through which au­then­ti­ca­tion and data transfer take place. This tunnel is con­tin­u­ous­ly encrypted, pre­vent­ing attackers from accessing the data. As a result, all in­for­ma­tion reaches the recipient unchanged. If a hacker tries to tamper with the data during trans­mis­sion, SSH detects the ma­nip­u­la­tion and im­me­di­ate­ly ter­mi­nates the con­nec­tion.

Data transfer via the SSH File Transfer Protocol protects against the following threats:

  • Al­ter­ation of a packet’s IP address — also known as IP spoofing.
  • Redi­rect­ing the intended hostname to an attacker’s IP address (DNS spoofing).
  • Eaves­drop­ping on login cre­den­tials sent in plain text.
  • Tampering with the data being trans­mit­ted by an attacker.
Note

SFTP cannot safeguard users against negligent handling of cre­den­tials or security keys!

How to use the SSH File Transfer Protocol

In the (S)FTP program, you can select the desired protocol in the section where login cre­den­tials are entered. In the FileZilla client, shown below, this area is called the Server Manager. In most cases, you don’t need to specify a port manually — it’s au­to­mat­i­cal­ly set to 22 when SFTP is selected.

Image: Select SFTP in the FileZilla Server Manager
In the FTP program FileZilla, the SFTP protocol is selected for transfer.

The first time an attempt is made to establish a con­nec­tion using the SSH File Transfer Protocol, the SFTP client will receive a message re­flect­ing the SSH security standard. Double-check the accuracy of the server address. The correct use of port 22 is indicated in the server entry: home….-data.host:22. By checking the box “Always trust this host, add this key to the cache” and clicking the “OK” button, the con­nec­tion data is saved and the encrypted con­nec­tion is es­tab­lished.

A repeated request for this in­for­ma­tion does not occur during the next con­nec­tion attempt, as the SFTP client iden­ti­fies itself to the SFTP server using a unique key. This digital signature encrypts all trans­mis­sions, including login data for the con­nec­tion setup. Messages in the FTP program’s status window provide in­for­ma­tion about the progress of downloads and uploads.

What is the dif­fer­ence between SFTP and FTP?

The main dif­fer­ence is that au­then­ti­ca­tion and all data traffic between client and server are encrypted during SFTP transfer. Even if attackers manage to intercept data, it remains unusable for them. The SSH File Transfer Protocol responds to tampered login data or attack attempts by ter­mi­nat­ing the con­nec­tion. In summary, the dif­fer­ences between FTP and SFTP are as follows:

FTP SFTP
Number of channels used 2 separate 1
En­cryp­tion standard None SSH-based en­cryp­tion
En­cryp­tion of au­then­ti­ca­tion
En­cryp­tion of data transfer
Attack pos­si­bil­i­ties (eaves­drop­ping, attack)

The technical security of cryp­to­graph­ic trans­mis­sion should be re­in­forced with ad­di­tion­al security measures on both the client and server sides. This includes con­sid­er­a­tions such as the ge­o­graph­ic location and physical pro­tec­tion of SFTP servers, as well as secure data storage for client access. Any care­less­ness in handling sensitive data is usually punished sooner or later.

Go to Main Menu