SSH file transfer protocol, also known as secure file transfer protocol or SFTP, extends secure shell (SSH) by adding a subsystem that handles file transfers over the same encrypted session. SFTP runs on port 22 and combines control and data into one protected channel, which cuts complexity and ensures authentication, commands and data are never sent in clear text.
SFTP performs authentication, encryption and integrity checks for every packet, which adds a heavier data volume but means transfers sent using the protocol are compliant with requirements for data integrity and encryption in motion like HIPAA, GDPR, FIPS and more. Enterprises move payroll files, software builds and partner data using public‑key or multifactor login, strict directory permissions and detailed logs.
The protocol supports public key or multifactor login, transfer resume, modification time logging and a wide variety of file and directory commands to help automate large workflows while preserving file integrity. Inside a managed file transfer (MFT) system, SFTP can be integrated with workflow engines, policy enforcement and high‑availability (HA) clusters.
SFTP features and benefits
SFTP offers technical advantages that reduce operational risk and speed routine file administration in managed transfer environments.
These features and benefits include:
- Batch mode that queues multiple commands in a single session to perform automated workflows
- Built‑in zlib compression that cuts bandwidth use and accelerates delivery on congested networks
- Standardized error and status codes that simplify orchestration scripts and exception handling
- UTF‑8 support that preserves international file names and prevents data loss in global workflows
- Windowed packet queuing that keeps high‑latency circuits busy and shortens overall job time
Common SFTP commands
IT administrators rely on a core set of SFTP commands to script transfers, verify directories and manage files without a full graphical client.
Common commands that appear in most runbooks include:
- chmod changes permissions on remote objects to enforce least‑privilege access
- get downloads a remote file to the local system and supports resume with the -a flag
- mget retrieves multiple remote files based on a pattern, which reduces manual effort
- mput uploads multiple files matching a wildcard pattern in one session
- put transfers a local file to the remote directory while preserving timestamps
Supported SFTP operations
SFTP defines a rich set of file and directory primitives that let organizations script end‑to‑end transfers and post‐processing tasks in a single encrypted session.
SFTP’s core operations include:
- Create or follow symbolic links to maintain consistent paths across clustered hosts
- Create, remove and rename directories or files under controlled permission scopes
- List and traverse directories recursively to feed data warehousing or backup jobs
- Open, read, write and close files with byte‑range offsets for partial downloads and uploads
- Query and set ownership mode and timestamps to align with retention and audit rules
Security advantages of SFTP
SFTP relies on proven cryptography that can be enhanced with extra controls needed to show compliance with regulated data flows. By placing both authentication and file operations inside the SSH tunnel, it removes the potential for plaintext credential exposure.
Other security advantages include:
- Integrated message authentication codes detect tampering before corrupted blocks reach storage
- Packet payload encryption with AES‑128 or AES‑256 to stop passive inspection and data harvesting
- Per‑account chroot directories and audit logs meet segregation of duties and forensic review
- Port 22 consolidation reduces firewall rule sprawl and limits surfaces for lateral movement
- Strong public‑key authentication to thwart spoofing attacks
These controls provide a hardened transfer layer that aligns with zero‑trust policies and simplifies compliance audits.
SSH file transfer protocol FAQs
SSH typically operates over transmission control protocol (TCP). SSH and SFTP operate at the application layer and ride on the TCP over port 22. SSH supplies the encrypted session that SFTP uses for file commands, delivering encryption, authentication and integrity on top of TCP’s reliable byte stream.
SSH over UDP does exist, but it is not common and requires additional configuration.
SSH file transfer is the act of sending or retrieving data through the secure shell protocol using its built‑in file subsystem, SFTP. All commands and file blocks travel inside an encrypted session on port 22 to combine authentication, confidentiality and integrity within a single reliable TCP channel.
Because the control path and payload share the SSH tunnel, IT administrators can perform tasks like scripting backups, updating software and partner exchanges without opening extra ports or risking clear‑text exposure. Additional server features like logs, permission checks and optional multifactor login can also give organizations visibility and policy alignment.
No, SSH is a general‑purpose protocol that creates an encrypted session for remote login, command execution and port forwarding. SFTP is an application that runs inside that session and adds file system operations, such as read, write and rename.
Because SFTP rides within the SSH channel, both use port 22 and share the same authentication and encryption, yet their roles differ. SSH supplies the transport while SFTP manages data exchange, so you can run SSH without SFTP, but SFTP cannot operate without SSH.
The SSH transport layer protocol is the base layer of secure shell. It negotiates version, selects encryption and MAC algorithms and performs a key exchange to generate session keys. The protocol runs over TCP port 22 and authenticates the server with its host key to prevent man‑in‑the‑middle attempts before user data moves.
Once keys are agreed, the transport layer encrypts every packet with a symmetric cipher such as AES‑256 and appends a message authentication code to catch tampering. Higher layers, such as user authentication, port forwarding and SFTP, ride on this channel as well.
