Master DevOps Tools & Best Practices - DevOps Knowledge Hub Master DevOps Tools & Best Practices - DevOps Knowledge Hub

How to Securely Transfer Files Using SCP and SFTP with SSH

Transfer files securely with SCP and SFTP over SSH, including practical commands, key authentication, and safer server-side access controls.

How to Securely Transfer Files Using SCP and SFTP with SSH

Transferring files between local and remote systems is a fundamental requirement of system administration and development. However, using unencrypted protocols like standard FTP or R-commands exposes sensitive data to interception and attack. The Secure Shell (SSH) protocol provides two robust, encrypted methods for file transfer: the Secure Copy Protocol (SCP) and the SSH File Transfer Protocol (SFTP).

This guide explains when to use SCP, when to use SFTP, and how to avoid the common mistakes that make secure file transfer less secure in practice.

Understanding the Foundation: SSH

Both SCP and SFTP utilize SSH (typically running on port 22) as the underlying transport layer. When you initiate a transfer using either protocol, SSH first establishes a secure, encrypted tunnel between the client and the server. All data, including authentication credentials and the file contents, is transmitted through this tunnel, making both methods highly secure alternatives to legacy file transfer protocols.

Key features provided by the SSH foundation:

  • Encryption: All data is encrypted end-to-end.
  • Authentication: Supports both password authentication and the far more secure public/private key pair authentication.
  • Integrity: Uses cryptographic hashing to ensure files are not altered during transfer.

Secure Copy Protocol (SCP)

SCP is a network protocol based on the remote copy protocol (rcp) but wrapped with the security of SSH. It is designed for simplicity and speed, making it ideal for quick, non-interactive transfers, especially in scripting or automation.

SCP Features and Characteristics

  1. Simplicity: Uses a syntax very similar to the standard Unix cp command.
  2. Speed: Often fast for simple one-shot copies, though performance depends on the SSH implementation, cipher, network, and file set.
  3. Non-Interactive: Once started, the transfer runs to completion without the ability to manage the session or interrupt the transfer state.

Practical SCP Commands

The general syntax for SCP is scp [options] [source] [destination].

1. Copying a File from Local to Remote Server

To push a local file to a remote user's home directory:

scp /path/to/local/file.txt user@remote_host:/home/user/destination/

2. Copying a File from Remote to Local System

To pull a file from the server to your current directory:

scp user@remote_host:/var/log/system.log . 
# Note: The '.' indicates the current local directory

3. Copying an Entire Directory (Recursive)

Use the -r (recursive) flag to copy directories and all their contents:

scp -r /path/to/local/folder/ user@remote_host:/data/backups/

4. Specifying a Non-Standard Port

If your SSH daemon runs on a port other than 22, use the -P flag (note the capital P):

scp -P 2222 local_file.zip user@remote_host:/tmp/

Note on SCP: Traditional SCP protocol behavior has a history of filename and path handling risks. Some modern OpenSSH clients use SFTP under the hood for scp by default, but not every client or server behaves the same way. For new workflows, prefer SFTP or rsync over SSH unless you specifically need SCP compatibility.

SSH File Transfer Protocol (SFTP)

SFTP is a subsystem of SSH that provides a richer, interactive environment for file management. Unlike SCP, which is purely a copy tool, SFTP is a stateful protocol that allows file listing, deleting, renaming, and directory creation through the same SSH-protected connection.

SFTP Features and Characteristics

  1. Interactive Session: Transfers occur within a dedicated, interactive shell session.
  2. Robustness: Supports seeking, resuming, and management of individual transfers within the session.
  3. Full Management: Allows listing (ls), changing directories (cd), and manipulating remote and local files using session commands (put, get, lcd, lmkdir).
  4. Security: Uses SSH for transport and is the better default for modern interactive file transfers.

Practical SFTP Commands

1. Initiating an SFTP Connection

Start an interactive session to the remote server:

sftp user@remote_host

If using a specific port:

sftp -P 2222 user@remote_host

2. SFTP Interactive Commands

Once connected, you operate in the remote environment by default. Use commands to manage transfers and directories:

Command Description Example
ls List remote files ls -l
cd Change remote directory cd /var/www/html
put Upload file (Local to Remote) put local_data.zip
get Download file (Remote to Local) get server_backup.tar.gz
lcd Change local directory lcd /Users/me/downloads
lpwd Print local working directory lpwd
mkdir Create remote directory mkdir new_project
quit Exit the SFTP session quit

Example: Uploading and Downloading within an SFTP Session

$ sftp [email protected]
sftp> cd /data/backups
sftp> lcd /home/local/reports
sftp> put daily_report.csv  # Uploads the file
Uploading daily_report.csv to /data/backups/daily_report.csv
daily_report.csv                                      100% 512KB   4.3MB/s   00:00    
sftp> get configuration.yaml  # Downloads a file
Fetching /data/backups/configuration.yaml to configuration.yaml
configuration.yaml                                    100% 20KB    1.1MB/s   00:00    
sftp> quit

SCP vs. SFTP: Choosing the Right Tool

While both protocols are secure, they serve different operational needs:

Feature Secure Copy Protocol (SCP) SSH File Transfer Protocol (SFTP)
Mechanism Simple copy protocol (Non-Interactive) Interactive file management protocol (Stateful)
Use Case Quick, single file transfers; scripting/automation. Complex transfers; directory management; interactive sessions.
Speed Often good for simple copies. Usually fast enough, with more file-management features.
Resumption Limited; use another tool for robust resume behavior. Supports more controlled transfer operations, but client resume behavior varies.
Security Status Compatibility tool; traditional protocol has design concerns. Better default for managed file transfer over SSH.

When to use SCP: Use SCP when you need maximum speed for a simple file transfer and are executing the command within a script where non-interactivity is preferred.

When to use SFTP: Use SFTP for virtually all manual file transfers, when you need to manage multiple files, change directories, or require session robustness and modern security features.

Best Practices for Secure File Transfers

Using SCP or SFTP is only the first step. Proper security configuration on the SSH server is essential to protect the remote environment.

1. Prioritize SSH Key Authentication

Password-based authentication is vulnerable to brute-force attacks. Always use public/private SSH key pairs for authenticating file transfers. Key usage eliminates the risk of password compromise during automated or manual transfers.

Generating Keys (if needed):

ssh-keygen -t ed25519 -C "file-transfer"

Using a specific key for transfer:

scp -i ~/.ssh/my_transfer_key file.txt user@remote_host:/tmp/
# or
sftp -i ~/.ssh/my_transfer_key user@remote_host

2. Disable Root Login

Never allow direct file transfers using the root user. Transfers should always be performed by a dedicated, low-privilege user account. If administrative access is needed, files can be moved to the appropriate location after transfer using sudo locally on the remote machine.

3. Restrict Access using ChrootDirectory (SFTP)

For systems providing SFTP access to external or untrusted users, implement ChrootDirectory restrictions within the sshd_config file. This locks the SFTP user into a specific directory, preventing them from browsing the rest of the filesystem.

Example configuration snippet in /etc/ssh/sshd_config:

Match User sftp_external_user
  ForceCommand internal-sftp
  ChrootDirectory /var/sftp/%u
  AllowTcpForwarding no
  X11Forwarding no

4. Limit Permissions

Ensure that the user account used for transfers only has the minimum permissions necessary for its task (Principle of Least Privilege). If a user only needs to upload files to /data/uploads, ensure they cannot delete files in /etc/config.

Takeaway

Use SFTP as your default when you need to browse, upload, download, or manage files interactively. Use SCP for simple compatibility cases where you trust the server and understand the client behavior. In both cases, pair the command with SSH keys, least-privilege accounts, and tight directory permissions.