SFTP Protocol: The Complete Guide to Secure File Transfers on Your VPS

Transferring files to and from your server is one of the most routine tasks in web hosting and systems administration — yet it's also one of the most frequently mishandled from a security standpoint. Legacy protocols like FTP transmit credentials and data in plain text, leaving your server wide open to interception. SFTP (SSH File Transfer Protocol) eliminates that risk entirely by routing every byte of data through an encrypted SSH tunnel.

This guide covers everything you need to know about SFTP: how it works under the hood, how to set it up on a Linux VPS, how to connect using both command-line tools and GUI clients, and why it should be your default method for all file transfer operations.

What Is SFTP and How Does It Differ from FTP?

SFTP stands for SSH File Transfer Protocol. Despite the similar name, it is not a simple extension of the traditional FTP protocol — it is an entirely separate protocol built from the ground up to operate over SSH (Secure Shell). This distinction matters enormously in practice.

Traditional FTP sends your username, password, and all file data in clear text. Anyone performing a packet capture on the same network segment can read your credentials instantly. SFTP encrypts the entire session — authentication, commands, and file data — using the same battle-tested cryptography that secures SSH connections worldwide.

How SFTP Works: A Technical Overview

When you initiate an SFTP session, the following sequence occurs:

1. TCP connection is established to port 22 on the remote server.
2. SSH handshake takes place: the server presents its host key, and the client verifies it against known hosts to prevent man-in-the-middle attacks.
3. Authentication is performed — either via password or public/private key pair.
4. SFTP subsystem is invoked within the authenticated SSH session.
5. File operations (upload, download, rename, delete, list directories) are performed over the encrypted channel.

The entire session, from authentication to the final byte of transferred data, is protected by symmetric encryption negotiated during the SSH handshake. No credentials or file contents ever travel in plain text.

Step 1: Installing and Configuring OpenSSH Server

Most modern Linux distributions — including Ubuntu and Debian — ship with OpenSSH either pre-installed or readily available in their package repositories. If you are running a fresh VPS Hosting instance, verify that the OpenSSH server is present and running.

Install OpenSSH on Ubuntu/Debian

sudo apt update && sudo apt install openssh-server -y

Verify the Service Is Running

sudo systemctl status ssh

You should see active (running) in the output. If the service is not running, start and enable it:

sudo systemctl start ssh
sudo systemctl enable ssh

Check That SFTP Is Enabled

OpenSSH includes SFTP support via a built-in subsystem. Confirm it is configured in /etc/ssh/sshd_config:

grep -i sftp /etc/ssh/sshd_config

You should see a line similar to:

Subsystem sftp /usr/lib/openssh/sftp-server

If this line is missing or commented out, add it and restart the SSH daemon:

sudo systemctl restart ssh

Step 2: Creating a Dedicated SFTP User (Best Practice)

Rather than using your root account or a general admin account for file transfers, create a dedicated SFTP user with restricted access. This limits the blast radius if credentials are ever compromised.

Create the User and Set a Home Directory

sudo adduser sftpuser
sudo mkdir -p /var/sftp/uploads
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp
sudo chown sftpuser:sftpuser /var/sftp/uploads

Configure Chroot Jail in sshd_config

Open /etc/ssh/sshd_config and add the following block at the end of the file:

Match User sftpuser
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/sftp
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

This configuration jails the user inside /var/sftp, preventing them from navigating to other parts of the filesystem. Restart SSH to apply the changes:

sudo systemctl restart ssh

Step 3: Setting Up SSH Key Authentication for SFTP

Password authentication is convenient but less secure than key-based authentication. For production environments, SSH key pairs are strongly recommended.

Generate an SSH Key Pair on Your Local Machine

On Linux or macOS:

ssh-keygen -t ed25519 -C "sftp-key-$(date +%Y%m%d)"

On Windows (PowerShell or Windows Terminal):

ssh-keygen -t ed25519

This generates two files: a private key (keep this secret, never share it) and a public key (ending in .pub).

Copy the Public Key to the Server

ssh-copy-id -i ~/.ssh/id_ed25519.pub sftpuser@your-server-ip

Alternatively, manually append the public key to ~/.ssh/authorized_keys on the server.

Disable Password Authentication (Optional but Recommended)

Once key-based authentication is confirmed working, disable password login for the SFTP user in sshd_config by changing PasswordAuthentication yes to PasswordAuthentication no within the Match User block.

Step 4: Connecting to SFTP from the Command Line

The command-line SFTP client is available natively on Linux and macOS, and is included with OpenSSH on Windows 10/11.

Basic Connection Syntax

sftp username@hostname_or_ip

Example:

sftp sftpuser@203.0.113.45

Connecting on a Non-Standard Port

If your SSH daemon listens on a port other than 22 (a common security hardening measure):

sftp -P 2222 sftpuser@203.0.113.45

Connecting with an SSH Key

sftp -i ~/.ssh/id_ed25519 sftpuser@203.0.113.45

Step 5: Essential SFTP Commands

Once connected, you operate in an interactive SFTP shell. The following commands cover the vast majority of day-to-day file management tasks.

Navigation

# List files on the remote server
ls
ls -la

# Change remote directory
cd /var/sftp/uploads

# Show current remote directory
pwd

# List files on your local machine
lls

# Change local directory
lcd ~/Downloads

# Show current local directory
lpwd

Uploading Files

# Upload a single file
put localfile.txt

# Upload a file to a specific remote path
put localfile.txt /var/sftp/uploads/localfile.txt

# Upload an entire directory recursively
put -r /local/directory /var/sftp/uploads/

Downloading Files

# Download a single file to the current local directory
get remotefile.txt

# Download a file to a specific local path
get remotefile.txt ~/Downloads/remotefile.txt

# Download an entire directory recursively
get -r /var/sftp/uploads/ ~/local-backup/

File and Directory Management

# Create a remote directory
mkdir new-folder

# Remove a remote file
rm old-file.txt

# Remove a remote directory
rmdir empty-folder

# Rename or move a file
rename old-name.txt new-name.txt

Exit the Session

exit
# or
bye
# or press Ctrl+D

Step 6: Connecting with GUI Clients

Command-line SFTP is powerful, but graphical clients are often more practical for managing large numbers of files or for team members who are less comfortable with the terminal.

FileZilla (Windows, macOS, Linux)

FileZilla is one of the most widely used free SFTP clients available.

1. Open FileZilla and navigate to File → Site Manager.
2. Click New Site and give it a descriptive name.
3. Set Protocol to SFTP – SSH File Transfer Protocol.
4. Enter your Host (IP address or domain) and Port (default: 22).
5. Set Logon Type to Key file for SSH key authentication, or Normal for password authentication.
6. Enter your Username and browse to your private key file if using key-based auth.
7. Click Connect.

You can now drag and drop files between your local machine (left panel) and the remote server (right panel).

WinSCP (Windows)

WinSCP is a popular Windows-only alternative with a dual-pane interface and strong integration with PuTTY key formats.

1. Open WinSCP and create a New Session.
2. Set File Protocol to SFTP.
3. Enter the Host name, Port number, Username, and Password (or configure an SSH key under Advanced → SSH → Authentication).
4. Click Login.

Cyberduck (macOS, Windows)

Cyberduck is a clean, modern client that supports SFTP alongside S3, FTP, and other protocols. Connect by clicking Open Connection, selecting SFTP (SSH File Transfer Protocol), and entering your server credentials.

Automating SFTP Transfers with Scripts

For recurring tasks such as backups, log collection, or deployment pipelines, you can automate SFTP transfers using shell scripts combined with SSH key authentication (no password prompt required).

Example: Automated Backup Script

#!/bin/bash

# Configuration
REMOTE_USER="sftpuser"
REMOTE_HOST="203.0.113.45"
REMOTE_DIR="/var/sftp/uploads/backups"
LOCAL_BACKUP_DIR="/var/backups/myapp"
SSH_KEY="/root/.ssh/id_ed25519"
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_FILE="backup_${DATE}.tar.gz"

# Create the backup archive
tar -czf "/tmp/${BACKUP_FILE}" "${LOCAL_BACKUP_DIR}"

# Upload via SFTP
sftp -i "${SSH_KEY}" "${REMOTE_USER}@${REMOTE_HOST}" <<EOF
cd ${REMOTE_DIR}
put /tmp/${BACKUP_FILE}
bye
EOF

# Clean up local temp file
rm "/tmp/${BACKUP_FILE}"

echo "Backup ${BACKUP_FILE} uploaded successfully."

Schedule this with a cron job to run nightly:

crontab -e
# Add:
0 2 * * * /usr/local/bin/backup-sftp.sh >> /var/log/sftp-backup.log 2>&1

Security Hardening for SFTP in Production

Running SFTP on a production server requires more than just the default configuration. Apply these hardening measures to significantly reduce your attack surface.

1. Change the Default SSH Port

Changing port 22 to a non-standard port (e.g., 2222 or 22222) dramatically reduces automated brute-force attempts:

# In /etc/ssh/sshd_config
Port 2222

2. Restrict SFTP Access by IP Address

If your team connects from known IP addresses, restrict SSH/SFTP access using UFW or /etc/hosts.allow:

sudo ufw allow from 203.0.113.10 to any port 22
sudo ufw deny 22

3. Implement Fail2Ban

Fail2Ban monitors authentication logs and automatically bans IP addresses after a configurable number of failed login attempts:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban

4. Disable Root Login via SSH

# In /etc/ssh/sshd_config
PermitRootLogin no

5. Use Strong SSH Key Algorithms

Prefer ed25519 or ecdsa keys over the older rsa algorithm. When generating keys, always use at least 4096 bits for RSA:

ssh-keygen -t ed25519
# or
ssh-keygen -t rsa -b 4096

6. Set Appropriate File Permissions

Ensure that SSH configuration files have correct permissions to prevent unauthorized modification:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519

Key Advantages of SFTP Over Alternative Protocols

Security

SFTP encrypts both the control channel and the data channel using SSH. There is no scenario in which credentials or file contents travel in plain text. This makes it categorically safer than FTP and more straightforward to secure than FTPS (FTP over SSL/TLS), which requires certificate management and multiple ports.

Firewall and NAT Friendliness

FTP in passive mode requires a range of data ports to be opened on the firewall, which is a significant administrative burden and a wider attack surface. SFTP uses a single port (22 by default), making firewall rules simple and predictable.

Unified Authentication with SSH

Because SFTP runs over SSH, it inherits the full authentication ecosystem: password authentication, public key authentication, certificate-based authentication, and two-factor authentication. If you already manage SSH access to your server, SFTP requires no additional authentication infrastructure.

Data Integrity

SSH's transport layer includes message authentication codes (MACs) that verify the integrity of every packet. This means that not only is your data encrypted in transit, but any tampering or corruption is detected and the transfer is aborted.

Resume Support

Unlike basic FTP, SFTP supports resuming interrupted transfers, which is critical when uploading large files over unreliable connections.

SFTP in the Context of Your Hosting Stack

SFTP is not just a standalone tool — it integrates naturally into a broader hosting and deployment workflow. Here are the most common use cases:

WordPress and CMS management: Upload themes, plugins, and media files directly to your server without relying on a hosting control panel. This is particularly useful when working with a VPS with cPanel or other control panel environments where you need direct filesystem access.

Application deployment: Push compiled assets, configuration files, or entire application directories to your server as part of a deployment pipeline.

Database and configuration backups: Automate the transfer of database dumps and configuration backups to a remote storage location using the scripting approach described above.

Log collection: Pull server logs to your local machine for analysis without granting broad SSH access to analysts.

Static site publishing: Deploy static websites generated by tools like Hugo, Jekyll, or Next.js directly to your server's web root.

If you are running multiple projects or need isolated environments for different clients, a VPS Hosting plan gives you the root access and flexibility to configure SFTP exactly as your workflow demands — including chroot jails, per-user permissions, and custom port configurations.

For teams managing a large number of domains and websites, pairing SFTP access with Shared Web Hosting or a dedicated environment ensures that file transfers remain fast, encrypted, and auditable.

Troubleshooting Common SFTP Issues

"Connection refused" on Port 22

• Verify that the SSH service is running: sudo systemctl status ssh
• Check that port 22 is open in your firewall: sudo ufw status
• Confirm you are connecting to the correct IP address

"Permission denied" During File Upload

• Check that the destination directory exists and is writable by the SFTP user
• Verify chroot directory ownership: the chroot root must be owned by root with permissions 755
• Review /var/log/auth.log for detailed error messages

"Host key verification failed"

• The server's host key has changed (possible after a reinstall or IP reassignment)
• Remove the old key: ssh-keygen -R hostname_or_ip
• Reconnect and accept the new host key

Slow Transfer Speeds

• Test your network throughput independently to rule out a connectivity issue
• Consider enabling SSH compression for text-heavy transfers: sftp -C username@hostname
• For very large files, rsync over SSH may be more efficient than SFTP

"Broken pipe" or Disconnections During Transfer

• Increase the SSH keepalive settings in ~/.ssh/config:

  Host *
      ServerAliveInterval 60
      ServerAliveCountMax 3

Comparing SFTP, FTPS, and SCP

SCP (Secure Copy Protocol) is faster for simple file copies but lacks the interactive session capabilities of SFTP. It cannot list directories, resume transfers, or manage remote files. Use SCP for quick one-off copies; use SFTP for interactive file management and automation.

FTPS adds TLS encryption to the traditional FTP protocol. It requires SSL certificate management (consider pairing with SSL Certificates for your domain) and is more complex to configure through firewalls. SFTP is generally preferred for new deployments unless you have a specific requirement for FTPS compatibility.

Frequently Asked Questions

Is SFTP the same as FTPS?

No. SFTP (SSH File Transfer Protocol) is a completely separate protocol that runs over SSH. FTPS is FTP with TLS/SSL encryption layered on top. They are incompatible with each other.

Does SFTP require a separate port from SSH?

No. SFTP runs over the same SSH connection on port 22. No additional ports need to be opened.

Can I use SFTP with two-factor authentication?

Yes. Since SFTP uses SSH for authentication, any 2FA method supported by SSH (such as TOTP via Google Authenticator or Duo) can be applied to SFTP sessions as well.

Is SFTP suitable for transferring large files?

Yes. SFTP supports large file transfers and can resume interrupted transfers, making it reliable for large uploads and downloads.

Can I restrict an SFTP user to a specific directory?

Yes. The chroot jail configuration described in Step 2 of this guide confines the user to a designated directory, preventing access to the rest of the filesystem.

Conclusion

SFTP is the gold standard for secure file transfers in Linux server environments. By combining the simplicity of FTP-style file management with the robust cryptographic security of SSH, it eliminates the most significant vulnerabilities of plain-text protocols while remaining straightforward to configure and use.

The key takeaways from this guide:

• Install OpenSSH on your server — SFTP support is included automatically
• Create a dedicated SFTP user with a chroot jail for production environments
• Use SSH key authentication instead of passwords wherever possible
• Apply security hardening measures: change the default port, implement Fail2Ban, disable root login
• Automate recurring transfers with shell scripts and cron jobs
• Choose the right client — CLI for scripting and automation, FileZilla or WinSCP for interactive use

Whether you are managing a WordPress installation, deploying a web application, or automating server backups, SFTP provides the security, reliability, and flexibility your workflow demands. Pair it with a high-performance VPS Hosting environment featuring SSD storage, DDoS protection, and full root access, and you have a file transfer setup that is both fast and genuinely secure.

For teams with more complex infrastructure needs — including high-traffic applications or resource-intensive workloads — explore Dedicated Servers for maximum performance and isolation, or review the available VPS Control Panels to find the management interface that best fits your team's workflow.