DevOps Knowledge Hub
DevOps Knowledge Hub

How to Securely Transfer Files Using SCP and SFTP with SSH

Master the art of secure file transfer using SSH. This comprehensive guide details the differences, pros, and cons of the Secure Copy Protocol (SCP) and the SSH File Transfer Protocol (SFTP). Learn essential command-line syntax for both methods, including examples for local-to-remote and remote-to-local transfers. We also cover crucial security best practices, such as SSH key authentication and user restriction, ensuring your data remains encrypted and protected during every transfer.

34 views

How to Securely Transfer Files Using SCP and SFTP with SSH

Transferring files between local and remote systems is a fundamental requirement of system administration and development. However, using unencrypted protocols like standard FTP or R-commands exposes sensitive data to interception and attack. The Secure Shell (SSH) protocol provides two robust, encrypted methods for file transfer: the Secure Copy Protocol (SCP) and the SSH File Transfer Protocol (SFTP).

This guide details how SCP and SFTP leverage SSH encryption to ensure data integrity and confidentiality during transit. We will explore the strengths and weaknesses of each protocol, provide practical command-line examples, and outline critical security best practices for secure file management.

Understanding the Foundation: SSH

Both SCP and SFTP utilize SSH (typically running on port 22) as the underlying transport layer. When you initiate a transfer using either protocol, SSH first establishes a secure, encrypted tunnel between the client and the server. All data, including authentication credentials and the file contents, is transmitted through this tunnel, making both methods highly secure alternatives to legacy file transfer protocols.

Key features provided by the SSH foundation:

  • Encryption: All data is encrypted end-to-end.
  • Authentication: Supports both password authentication and the far more secure public/private key pair authentication.
  • Integrity: Uses cryptographic hashing to ensure files are not altered during transfer.

Secure Copy Protocol (SCP)

SCP is a network protocol based on the remote copy protocol (rcp) but wrapped with the security of SSH. It is designed for simplicity and speed, making it ideal for quick, non-interactive transfers, especially in scripting or automation.

SCP Features and Characteristics

  1. Simplicity: Uses a syntax very similar to the standard Unix cp command.
  2. Speed: Generally faster than SFTP because it does not require interactive acknowledgements or session setup, only relying on the underlying SSH tunnel.
  3. Non-Interactive: Once started, the transfer runs to completion without the ability to manage the session or interrupt the transfer state.

Practical SCP Commands

The general syntax for SCP is scp [options] [source] [destination].

1. Copying a File from Local to Remote Server

To push a local file to a remote user's home directory:

scp /path/to/local/file.txt user@remote_host:/home/user/destination/

2. Copying a File from Remote to Local System

To pull a file from the server to your current directory:

scp user@remote_host:/var/log/system.log . 
# Note: The '.' indicates the current local directory

3. Copying an Entire Directory (Recursive)

Use the -r (recursive) flag to copy directories and all their contents:

scp -r /path/to/local/folder/ user@remote_host:/data/backups/

4. Specifying a Non-Standard Port

If your SSH daemon runs on a port other than 22, use the -P flag (note the capital P):

scp -P 2222 local_file.zip user@remote_host:/tmp/

Note on SCP Deprecation: While highly useful, SCP is considered a legacy protocol. Modern systems increasingly recommend using SFTP or Rsync over SSH due to known vulnerabilities in SCP's protocol design, particularly relating to filename manipulation.

SSH File Transfer Protocol (SFTP)

SFTP is a sub-system of SSH that provides a richer, interactive environment for file management. Unlike SCP, which is purely a copy tool, SFTP is a stateful protocol that allows for detailed session control, file listing, deleting, renaming, and directory creation—similar to an enhanced FTP session, but entirely secure.

SFTP Features and Characteristics

  1. Interactive Session: Transfers occur within a dedicated, interactive shell session.
  2. Robustness: Supports seeking, resuming, and management of individual transfers within the session.
  3. Full Management: Allows listing (ls), changing directories (cd), and manipulating remote and local files using session commands (put, get, lcd, lmkdir).
  4. Security: Highly reliable and considered the standard for modern secure file transfers.

Practical SFTP Commands

1. Initiating an SFTP Connection

Start an interactive session to the remote server:

sftp user@remote_host

If using a specific port:

sftp -P 2222 user@remote_host

2. SFTP Interactive Commands

Once connected, you operate in the remote environment by default. Use commands to manage transfers and directories:

Command Description Example
ls List remote files ls -l
cd Change remote directory cd /var/www/html
put Upload file (Local to Remote) put local_data.zip
get Download file (Remote to Local) get server_backup.tar.gz
lcd Change local directory lcd /Users/me/downloads
lpwd Print local working directory lpwd
mkdir Create remote directory mkdir new_project
quit Exit the SFTP session quit

Example: Uploading and Downloading within an SFTP Session

$ sftp [email protected]
sftp> cd /data/backups
sftp> lcd /home/local/reports
sftp> put daily_report.csv  # Uploads the file
Uploading daily_report.csv to /data/backups/daily_report.csv
daily_report.csv                                      100% 512KB   4.3MB/s   00:00    
sftp> get configuration.yaml  # Downloads a file
Fetching /data/backups/configuration.yaml to configuration.yaml
configuration.yaml                                    100% 20KB    1.1MB/s   00:00    
sftp> quit

SCP vs. SFTP: Choosing the Right Tool

While both protocols are secure, they serve different operational needs:

Feature Secure Copy Protocol (SCP) SSH File Transfer Protocol (SFTP)
Mechanism Simple copy protocol (Non-Interactive) Interactive file management protocol (Stateful)
Use Case Quick, single file transfers; scripting/automation. Complex transfers; directory management; interactive sessions.
Speed Generally faster due to lower overhead. Slightly slower due to interactive handshakes.
Resumption Poorly supported or non-existent. Fully supports transfer resumption and seeking.
Security Status Legacy (Some protocol vulnerabilities). Modern, robust standard.

When to use SCP: Use SCP when you need maximum speed for a simple file transfer and are executing the command within a script where non-interactivity is preferred.

When to use SFTP: Use SFTP for virtually all manual file transfers, when you need to manage multiple files, change directories, or require session robustness and modern security features.

Best Practices for Secure File Transfers

Using SCP or SFTP is only the first step. Proper security configuration on the SSH server is essential to protect the remote environment.

1. Prioritize SSH Key Authentication

Password-based authentication is vulnerable to brute-force attacks. Always use public/private SSH key pairs for authenticating file transfers. Key usage eliminates the risk of password compromise during automated or manual transfers.

Generating Keys (if needed):

ssh-keygen -t rsa -b 4096

Using a specific key for transfer:

scp -i ~/.ssh/my_transfer_key file.txt user@remote_host:/tmp/
# or
sftp -i ~/.ssh/my_transfer_key user@remote_host

2. Disable Root Login

Never allow direct file transfers using the root user. Transfers should always be performed by a dedicated, low-privilege user account. If administrative access is needed, files can be moved to the appropriate location after transfer using sudo locally on the remote machine.

3. Restrict Access using ChrootDirectory (SFTP)

For systems providing SFTP access to external or untrusted users, implement ChrootDirectory restrictions within the sshd_config file. This locks the SFTP user into a specific directory, preventing them from browsing the rest of the filesystem.

Example configuration snippet in /etc/ssh/sshd_config:

Match User sftp_external_user
  ForceCommand internal-sftp
  ChrootDirectory /var/sftp/%u
  AllowTcpForwarding no
  X11Forwarding no

4. Limit Permissions

Ensure that the user account used for transfers only has the minimum permissions necessary for its task (Principle of Least Privilege). If a user only needs to upload files to /data/uploads, ensure they cannot delete files in /etc/config.

Conclusion

SSH provides the essential security layer needed for trustworthy remote operations. While SCP remains a fast and straightforward option for scripted copies, SFTP offers the superior feature set, interactive control, and modern robustness required for comprehensive file management. By leveraging key-based authentication and proper server-side configuration, system administrators can ensure their file transfers are not only functional but entirely secure.