Secure file transfer protocol (SFTP) is a secure shell (SSH)-based file transfer protocol that connects to a default port 22 and uses a single connection for transfers. An SFTP connection is encrypted from the first data packet, which protects both credentials and file payloads across untrusted networks.
In managed file transfer (MFT) systems, SFTP moves files reliably at scale. IT administrators can set encryption levels and key management requirements, while the protocol itself allows common commands like read, write and delete. Actions like binding transfers to policies, setting up scripts and schedulers to trigger recurring jobs, moving files on arrival and other automations must happen in an MFT application that wraps around SFTP, but the protocol itself will handle activities like retries, status updates and integrity checks.
SFTP is commonly adopted to align transfer workflows with regulatory needs, such as FIPS 140-compliant transfers.
How SFTP works
An SFTP session typically occurs in this order:
- Client requests a connection to an SFTP server on port 22
- Both parties will negotiate their SSH connection’s encryption through a public/private key pair process
- Once the parties have agreed on the session encryption, the server will authenticate itself
- After the client checks the server’s authentication, it will then authenticate by password, key or other method
- Upon successful authentication, the client will receive remote access to the file subsystem
SFTP operations include open, read, write, close, rename, remove, set access rules and get attributes.
SFTP features
SFTP supports a broad range of file management controls beyond basic upload and download, which include:
- 64-bit file size and offset fields for very large objects
- An extension mechanism for vendor features such as server-side copy and batch delete
- Preservation of timestamps, modes and ownership metadata for accurate replication
- Rate limits and session quotas to modulate bandwidth and concurrent use
- Status replies for each packet that can support logging and error review
- The ability to specify the encryption algorithm and cipher families for each session
- UTF-8 path and file name support across disparate platforms
SFTP vs. FTPS
SFTP and FTPS differ in transport security and network requirements.
To help you choose between them, here are the most salient differences:
- Authentication: SFTP supports public/private keys and multifactor authentication. FTPS uses a combination of passwords and client certificates.
- Data handling: SFTP offers a larger suite of standardized commands than FTPS.
- Network devices: FTPS requires two ports to communicate, and its use of dynamic ports for data transfers may require helpers on NAT and firewalls. SFTP requires a single port: 22.
- Speed: SFTP is generally slower than FTPS due to its heavier encryption and integrity checking loads.
- Transport security: FTPS uses TLS, while SFTP uses SSH.
SFTP use cases
SFTP supports controlled file exchange across partners’ applications and infrastructure where data must move predictably through firewalls and policy gates. It’s widely used in batch feeds and operational data flows that call for identity checks, tracking and error recovery within one managed channel.
Common enterprise use cases include:
- Recurring B2B data feeds for payments, orders or reports
- Regulated record exchange, such as health or tax data
- Remote log and configuration collection from distributed servers or devices
- Secure inbound drop zones for suppliers with restricted directory scope
SFTP FAQs
Yes. SFTP provides encrypted file transfer over SSH. The protocol encrypts session setup credentials and file contents using negotiated ciphers, so that no information is sent in clear text. Host keys let clients verify they are talking to the right server to block spoofing. Message authentication codes also detect changes in transit.
That said, full file transfer security depends on application configuration and security operations. Practices such as using current cipher suites, managed keys, least privilege accounts and chroot or virtual directories to limit scope will all harden your SFTP environment.
Yes. Plain FTP sends usernames, passwords and file contents without encryption. Anyone who can capture that traffic can read or alter your data. FTP also opens separate control and data channels, which adds complexity to firewalls and can widen exposure.
SFTP runs inside an SSH session, which means that each command and data block is encrypted. The protocol also validates message integrity, supports host verification and offers key-based login.
How to secure an FTP or SFTP server: Eight essential tips
SFTP adds setup and management work related to key and cipher management. Keys must be issued, rotated, revoked and backed up regularly, and cipher libraries can become outdated.
Additionally, not all partners support SSH, so parallel protocols such as FTPS may be required. Extended attributes also do not always map cleanly across operating systems.
SFTP is one of the slower transfer protocols, due to its encryption overhead, which can tax constrained systems at scale (though modern CPUs handle most loads). High-latency circuits may need window and packet tuning to reach full throughput, and metadata fidelity can vary.
Finally, SFTP is not the most “user-friendly” protocol, due to its requirement to use a client or command prompt. The base protocol lacks built-in email-style invites, link sharing or drop-box features found in web gateways, which can matter for ad hoc exchanges.
