SFTP isn’t just a "secure FTP"; it’s a fundamentally different protocol that happens to share a similar name and purpose.
Let’s see it in action. Imagine you have a file /home/user/data.csv on your local machine and you want to transfer it to /remote/path/ on an SFTP server.
sftp user@your_sftp_server.com
Once connected, you’ll see an sftp> prompt.
```sftp> put /home/user/data.csv /remote/path/`
This single command initiates a secure, encrypted transfer. Now, let's break down why this is so different from traditional FTP.
The core difference lies in their underlying protocols. FTP (File Transfer Protocol) is an old protocol, designed in a time when security wasn't a primary concern. It typically uses two channels: one for commands (control) and another for data. Both of these channels transmit data in plain text, meaning usernames, passwords, and the files themselves are vulnerable to eavesdropping. SFTP, on the other hand, is a subsystem of SSH (Secure Shell). It tunnels all its traffic, including commands and data, over a single, encrypted SSH connection. This means the entire communication is protected from unauthorized access.
This security difference dictates their primary use cases. Traditional FTP is largely deprecated for any sensitive data transfer due to its inherent insecurity. It might still be found in legacy systems or for transferring non-sensitive public files where speed is paramount and security is a non-issue. SFTP, however, is the de facto standard for secure file transfers. Businesses use it for everything from exchanging financial data and customer information to deploying website updates and migrating databases. If there's any chance of sensitive data being intercepted, SFTP is the only responsible choice.
Under the hood, FTP operates on two distinct ports: port 21 for the command channel and a dynamic port (often above 1023) for the data channel. This dual-port nature can also be a headache for firewalls, requiring specific configurations to allow both. SFTP, by leveraging SSH, typically uses port 22. This single, well-defined port simplifies network administration and [firewall rules](/interviews/nftables/logging-and-audit-trail-for-firewall-rules/), as only one port needs to be opened for secure communication. The SSH protocol itself handles the complex encryption and authentication, allowing SFTP to focus purely on file transfer operations within that secure tunnel.
The commands available in an SFTP client also reflect its SSH heritage. While many commands mirror FTP (like `put`, `get`, `ls`, `cd`), they are executed within the context of the secure SSH session. You can also perform operations like changing file permissions (`chmod`) and ownership (`chown`) directly through the SFTP client, features not natively available in standard FTP clients. This richer set of administrative capabilities makes SFTP more versatile for managing remote files beyond simple uploads and downloads.
The session management is also fundamentally different. FTP is stateless in many respects, with separate connections potentially being established for commands and data. SFTP, being part of SSH, maintains a persistent, authenticated session. This means once you've authenticated with your SSH credentials (username/password or SSH key), all subsequent SFTP operations are performed under that established secure session, without repeated authentication prompts for each file transfer. The server keeps track of your [session state](/interviews/mqtt/broker-internals-session-state-persistence/), leading to a more robust and manageable file transfer experience.
You'll often encounter scenarios where you need to transfer files to systems that only support FTP. In such cases, you might be tempted to use an FTP client. However, if security is even a slight concern, it's worth investigating if an SFTP server can be configured or if a different, secure protocol like SCP (Secure Copy Protocol), which also runs over SSH, can be used instead. The migration from FTP to SFTP is a common [security hardening](/cloud-computing/compute-virtual-machines/vm-security-hardening/) step for many organizations.
The authentication mechanisms themselves highlight the security disparity. FTP relies on plain-text username and password credentials sent over the network, or sometimes less secure methods like anonymous logins. SFTP, being SSH-based, supports robust authentication methods including [password authentication](/cryptography/authentication/password-auth/) (which is encrypted) and, more commonly, public-key cryptography. This means you can use SSH keys for authentication, which are significantly more secure than passwords and can be used without ever transmitting a password over the network.
The next logical step after mastering SFTP is understanding its close sibling, SCP, and when to choose one over the other for specific command-line transfer needs.