FTP vs SFTP: What Is the Difference?
FTP (File Transfer Protocol) is used to transfer files over a network but does not encrypt data, while SFTP (Secure File Transfer Protocol) uses encryption over SSH to securely transfer files between systems.
FTP and SFTP: File Transfer Protocols
File transfer is one of the most common tasks in networking and system administration. Whether you are uploading files to a web server, sharing documents with colleagues, or transferring backups between systems, you need a reliable way to move files across networks. FTP and SFTP are two of the most widely used protocols for this purpose. While their names sound similar, they are fundamentally different in how they operate and their security characteristics.
Understanding the differences between FTP and SFTP is essential for choosing the right tool for your needs. FTP has been around since the early days of the internet, while SFTP is a more modern, secure alternative that runs over SSH. To understand these protocols properly, it is helpful to be familiar with concepts like client-server model, VPN and secure networks, and encryption basics.
What Is FTP
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server on a computer network. It was developed in the 1970s and is one of the oldest internet protocols still in widespread use. FTP operates on a client-server model, where an FTP client connects to an FTP server to upload, download, or manage files.
- Port 21: Control connection for sending commands (authentication, navigation, file operations).
- Port 20: Data connection for actual file transfer (Active mode).
- Authentication: Supports anonymous access or username/password authentication.
- Modes: Active mode and Passive mode for handling firewall and NAT traversal.
- Transfer Types: ASCII mode for text files, Binary mode for all other file types.
Client (FTP Client) Server (FTP Server)
| |
|--- Control Connection (Port 21) ---->|
|<--- 220 Welcome to FTP Server -------|
|--- USER username ------------------->|
|<--- 331 Password required -----------|
|--- PASS password ------------------->|
|<--- 230 User logged in ---------------|
|--- LIST ---------------------------->|
|<--- 150 Opening data connection -----|
|--- Data Connection (Port 20) ------->|
|<--- File listing data ---------------|
|<--- 226 Transfer complete -----------|
|--- QUIT ---------------------------->|
|<--- 221 Goodbye ---------------------|What Is SFTP
SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management functionality over a secure SSH connection. Despite its name, SFTP is not an extension of FTP but a completely different protocol built on top of SSH (Secure Shell). It was designed to address the security shortcomings of FTP.
- Port 22: Uses the same port as SSH for encrypted communication.
- Single Connection: Uses a single encrypted channel for both commands and data.
- Encryption: All communication is encrypted using SSH protocols.
- Authentication: Supports passwords, SSH keys, and certificate-based authentication.
- Features: Resume interrupted transfers, directory listings, file permissions, symbolic links.
Client (SFTP Client) Server (SSH/SFTP Server)
| |
|--- SSH Connection (Port 22) -------->|
|--- SSH Protocol Version Exchange --->|
|--- Encryption Algorithm Negotiation >|
|--- Server Authentication ----------->|
|--- Client Authentication ----------->|
|<--- SFTP Subsystem Initiated --------|
|--- SFTP Command (Open Channel) ----->|
|--- SFTP Command (Read Directory) --->|
|<--- SFTP Response (File Listing) ----|
|--- SFTP Command (Download File) ---->|
|<--- SFTP Data (Encrypted) -----------|
|--- SFTP Command (Close) ------------>|
|--- SSH Disconnect ----------------->|FTP vs SFTP: Key Differences
While both protocols serve the same purpose of file transfer, they differ significantly in architecture, security, and capabilities. Understanding these differences helps you choose the right protocol for your use case.
| Feature | FTP | SFTP |
|---|---|---|
| Security | No encryption (unless using FTPS). Credentials and data sent in plain text. | Full encryption via SSH. All traffic encrypted including credentials and data. |
| Port | Port 21 (control), Port 20 (data in active mode) | Port 22 (single connection) |
| Connections | Two connections: control and data. Complex firewall traversal. | Single connection. Firewall friendly. |
| Authentication | Username/password or anonymous. No public key support. | Username/password, SSH keys, certificates. Multi-factor possible. |
| Transfer Resume | Supported with REST command (RESTart) | Supported with offset parameter |
| File Operations | Basic: upload, download, delete, list, rename | Advanced: file permissions, symbolic links, directory creation, file locking} \\ |
| Firewall Friendly | Difficult (requires multiple ports, passive mode configuration) | Easy (single port 22) |
FTP Active vs Passive Mode
FTP uses two connections: a control connection for commands and a data connection for transferring files. The way the data connection is established determines whether FTP is in active or passive mode.
Active Mode
In active mode, the client opens a control connection to the server and tells the server its IP address and a random port. The server then initiates a data connection back to the client. This mode often fails due to firewalls blocking incoming connections.
Client Server
| |
|--- Control Connection (Client:PortX -> Server:21) --->|
|--- PORT command (Client IP, PortY) ------------------>|
| |
|<--- Data Connection (Server:20 -> Client:PortY) ------|
|<--- Data transfer -----------------------|Passive Mode
In passive mode, the client opens a control connection to the server and sends a PASV command. The server responds with its IP address and a random port. The client then initiates the data connection to that port. This mode works better with firewalls because the client always initiates connections.
Client Server
| |
|--- Control Connection (Client:PortX -> Server:21) --->|
|--- PASV command ------------------------------------>|
|<--- Server responds with IP and PortZ --------------|
|--- Data Connection (Client:PortY -> Server:PortZ) -->|
|--- Data transfer ----------------------------------->|FTPS: FTP with SSL/TLS
FTPS (FTP over SSL/TLS) is an extension of FTP that adds security using SSL/TLS encryption. It should not be confused with SFTP. FTPS wraps FTP traffic in SSL/TLS, providing encryption while maintaining the FTP command structure.
- Explicit FTPS (FTPES): Client connects to standard FTP port 21 and explicitly requests encryption using the AUTH TLS command.
- Implicit FTPS: Client connects to a dedicated port (990) and the connection is immediately encrypted.
- Certificate Support: Uses X.509 certificates for server authentication and optionally client authentication.
- Firewall Complexity: Still inherits the dual-connection complexity of FTP.
Client Server
| |
|--- Connect to Port 21 ------------------>|
|--- AUTH TLS ---------------------------->|
|<--- 234 AUTH command OK -----------------|
|--- TLS Handshake ----------------------->|
|--- TLS Encrypted Control Channel --------|
|--- USER username ----------------------->|
|--- PASS password ----------------------->|
|--- PBSZ 0 ----------------------------->|
|--- PROT P ----------------------------->|
|--- Data commands (encrypted) ---------->|Common Use Cases
Different protocols suit different use cases. Understanding when to use each helps you make the right choice for your needs.
- FTP (Unencrypted): Only suitable for public, read-only content on isolated networks where security is not a concern. Not recommended for any sensitive data.
- FTPS (FTP with SSL/TLS): Suitable when legacy FTP clients must be used but encryption is required. Often used in enterprise environments with existing FTP infrastructure.
- SFTP (SSH File Transfer): The modern standard for secure file transfer. Ideal for web hosting, cloud servers, automated backups, and any scenario requiring security and firewall friendliness.
- SCP: Alternative protocol for simple secure copying.
Scenario Recommended Protocol
---------------------------------|----------------------------
Uploading files to web server | SFTP
Automated backups | SFTP
Public file downloads | FTP (read-only) or HTTP
Legacy system integration | FTPS
Secure internal file transfers | SFTP
Cloud storage sync | SFTP or cloud-specific API
Simple secure file copy | SCPUsing SFTP Command Line
The SFTP command-line client is available on most Unix-like systems (Linux, macOS) and can be installed on Windows. It provides an interactive file transfer environment.
# Connect to an SFTP server
sftp user@example.com
sftp -i ~/.ssh/private_key user@example.com
sftp -P 2222 user@example.com # Non-standard port
# Inside SFTP session
sftp> ls # List remote files
sftp> cd /var/www # Change remote directory
sftp> lls # List local files
sftp> lcd /local/path # Change local directory
sftp> put localfile.txt # Upload file
sftp> get remotefile.txt # Download file
sftp> get -r remote_dir # Download directory recursively
sftp> put -r local_dir # Upload directory recursively
sftp> rm filename.txt # Delete remote file
sftp> mkdir new_dir # Create remote directory
sftp> chmod 755 script.sh # Change file permissions
sftp> rename old new # Rename remote file
sftp> quit # Exit SFTP
# Non-interactive usage (scripting)
sftp user@example.com << 'EOF'
cd /remote/path
put localfile.txt
get remotefile.txt
quit
EOFCommon FTP/SFTP Client Tools
Several client tools make FTP and SFTP easier to use with graphical interfaces. These tools support various protocols and provide additional features.
- FileZilla: Popular cross-platform GUI client supporting FTP, FTPS, and SFTP. Includes site manager, directory comparison, and transfer queue.
- WinSCP: Windows-focused client with support for SFTP, SCP, FTP, and WebDAV. Includes synchronization and scripting capabilities.
- Cyberduck: Mac and Windows client with support for SFTP, FTP, and cloud storage (S3, Google Drive). Clean interface with bookmarking.
- Command Line: Built-in sftp command on Linux/macOS; pscp and psftp on Windows with PuTTY.
- VS Code Extensions: SFTP extensions allow editing files directly on remote servers from the editor.
// .vscode/sftp.json
{
"name": "Production Server",
"host": "example.com",
"protocol": "sftp",
"port": 22,
"username": "deploy",
"privateKeyPath": "~/.ssh/id_rsa",
"remotePath": "/var/www/html",
"uploadOnSave": true,
"ignore": [
".vscode",
".git",
"node_modules"
]
}Security Best Practices
When using file transfer protocols, especially over public networks, security should be a primary concern. Following these best practices helps protect your data.
- Use SFTP instead of FTP: SFTP encrypts all traffic including credentials and data. FTP sends everything in plain text and should never be used over the internet.
- Use SSH Keys for Authentication: SSH keys are more secure than passwords and enable automation without storing passwords in scripts.
- Disable Root Login: Configure SFTP to allow only specific users, never root. Use sudo for administrative actions.
- Use Chroot/SFTP Jail: Restrict users to their home directories using chroot or SFTP jail to prevent access to system files.
- Change Default Port: While not a security measure on its own, changing from port 22 can reduce automated attack attempts.
- Use Firewalls: Restrict SFTP access to trusted IP addresses when possible.
- Enable Logging: Monitor SFTP access logs for unauthorized attempts or unusual activity.
- Keep Systems Updated: Regularly update SSH/SFTP server software to patch security vulnerabilities.
# Disable root login
PermitRootLogin no
# Use SSH keys only (disable password authentication)
PasswordAuthentication no
PubkeyAuthentication yes
# Create SFTP chroot jail for specific group
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
# Allow only specific users
AllowUsers deploy webuser backupuser
# Change default port (optional)
Port 2222Common FTP/SFTP Errors and Solutions
When working with FTP and SFTP, you may encounter various errors. Understanding common issues helps you troubleshoot quickly.
- Connection Timeout: Check firewall rules, network connectivity, and server availability. Ensure the server is running and accepting connections on the correct port.
- Authentication Failed: Verify username, password, and SSH key permissions. For SSH keys, ensure the private key has correct permissions (600) and the public key is properly added to authorized_keys.
- Permission Denied: Check file and directory permissions on the server. The user must have write permission to upload files and read permission to download.
- Connection Refused: The server may not be running, or the port may be blocked by a firewall. Verify the service is running with systemctl status sshd.
- Host Key Verification Failed: The server's host key has changed. Remove the old key from known_hosts if you trust the change, or verify with the server administrator.
- No Route to Host: Network connectivity issue. Check DNS resolution, routing, and whether the server is reachable via ping.
# Test SSH/SFTP connectivity
ssh -v user@example.com
sftp -v user@example.com
# Check if port is open
nc -zv example.com 22
telnet example.com 22
# Check SSH key permissions
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh
# Test with specific key
sftp -i ~/.ssh/custom_key user@example.com
# Debug connection issues
ssh -vvv user@example.com 2>&1 | grep -i error
# Check server status (on server)
systemctl status sshd
ss -tlnp | grep 22Automating File Transfers
File transfers are often automated as part of backup scripts, deployment pipelines, or data synchronization processes. SFTP and SCP are excellent choices for automation due to their scriptability and security.
- Batch Mode: Use SFTP batch files with password-less SSH keys for automated transfers.
- SCP for Simple Copying: SCP is ideal for single-file transfers in scripts.
- rsync over SSH: For efficient synchronization of directories, rsync with SSH provides delta transfers and resume capability.
- CI/CD Integration: Many CI/CD platforms support SFTP deployments with SSH keys.
- Error Handling: Implement proper error checking and retry logic in automation scripts.
#!/bin/bash
# SFTP batch transfer script
HOST="example.com"
USER="deploy"
REMOTE_PATH="/var/www/html"
LOCAL_PATH="./dist"
# Upload with sftp batch
sftp -b - $USER@$HOST << 'EOF'
cd $REMOTE_PATH
lcd $LOCAL_PATH
put -r *
quit
EOF
# Check exit status
if [ $? -eq 0 ]; then
echo "Upload successful"
else
echo "Upload failed"
exit 1
fi
# Using rsync over SSH (more efficient)
rsync -avz --delete -e ssh $LOCAL_PATH/ $USER@$HOST:$REMOTE_PATH/
# SCP for single file
scp deploy.tar.gz $USER@$HOST:/tmp/Frequently Asked Questions
- What is the difference between SFTP and FTPS?
SFTP is a completely different protocol built on SSH. It uses a single encrypted connection and supports SSH key authentication. FTPS is FTP with SSL/TLS encryption added, inheriting FTP's dual-connection architecture. SFTP is generally preferred for modern applications due to simplicity and firewall friendliness. - Is FTP still secure?
No. Standard FTP transmits credentials and data in plain text. It should never be used over the internet for sensitive information. Use SFTP or FTPS instead. - Can I use SFTP with standard FTP clients?
No. SFTP is a different protocol. You need an SFTP-capable client like FileZilla, WinSCP, or the command-line sftp command. - What port does SFTP use?
SFTP uses port 22 by default, the same as SSH. This can be changed in the SSH server configuration if needed. - What is the difference between SFTP and SCP?
SCP (Secure Copy) is a simple file copy protocol also built on SSH. It is faster for single files but lacks the interactive features, directory management, and resume capability of SFTP. Use SFTP for interactive sessions and complex operations; use SCP for simple one-off file copies. - What should I learn next after understanding FTP and SFTP?
After mastering file transfer protocols, explore encryption basics for secure communication, server management for deploying applications, and security compliance for data protection standards.
Conclusion
File transfer is a fundamental task in system administration and web development. FTP and SFTP provide different approaches with vastly different security characteristics. While FTP remains available for legacy systems, SFTP has become the modern standard for secure, reliable file transfers. Its integration with SSH provides strong encryption, simple firewall configuration, and robust authentication options.
Choosing the right protocol depends on your requirements. For public, read-only content on isolated networks, FTP may be acceptable. For any data requiring confidentiality or integrity, SFTP is the clear choice. With proper configuration, SSH key authentication, and firewall rules, SFTP provides a secure foundation for file transfers in any environment.
To deepen your understanding, combine file transfer knowledge with related topics like encryption basics for secure communication, server management for deploying and configuring servers, backup strategies for protecting your data, and automation scripting for scheduling and managing transfers. Together, these skills form a complete foundation for managing files across networks securely and efficiently.