By Scott Miller Last Updated: April 15, 2026
Key Takeaways
- SFTP encrypts file transfers over SSH on port 22, replacing insecure FTP with encrypted authentication and data on a single port.
- Setup requires SSH access, key pair generation, and server permissions — straightforward for IT teams, complex for everyday business users.
- For organizations that need secure file sharing without SSH keys or SFTP servers, HTTPS-based alternatives like MyWorkDrive provide a simpler path with built-in compliance controls.
SFTP (SSH File Transfer Protocol) is the standard for securely transferring files over a network. Unlike legacy FTP, which sends credentials and data in plain text, SFTP encrypts everything through an SSH tunnel — making it the baseline for any organization handling sensitive files.
This tutorial covers how to use SFTP step by step — setup, commands, key authentication, batch automation, troubleshooting, and when a modern alternative is the better fit for your team.
Setting Up SFTP Access
SFTP runs over SSH, so you need SSH access to your server before anything else. Setup has three steps:
1. Generate an SSH key pair
On your local machine, generate a 4096-bit RSA key (or use Ed25519 for newer systems):
$ ssh-keygen -t rsa -b 4096 -C "admin@company.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Your identification has been saved in /home/admin/.ssh/id_rsa
Your public key has been saved in /home/admin/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:xK3j9Lq2mN...admin@company.com
This creates id_rsa (private — never share this) and id_rsa.pub (public — goes on the server). For Ed25519:
$ ssh-keygen -t ed25519 -C "admin@company.com"
2. Copy your public key to the server
$ ssh-copy-id admin@files.company.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/admin/.ssh/id_rsa.pub"
Number of key(s) added: 1
If ssh-copy-id isn't available (common on older Windows), manually append the key:
$ cat ~/.ssh/id_rsa.pub | ssh admin@files.company.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
3. Lock down permissions
Incorrect permissions are the single most common reason SFTP key authentication fails. SSH is strict about this:
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/id_rsa
Test that key-based auth works before relying on it:
$ ssh admin@files.company.com
Welcome to Ubuntu 22.04.4 LTS
Last login: Mon Apr 14 09:12:33 2026
admin@files:~$
If that connects without a password prompt, your keys are working. You're ready for SFTP.
Connecting to a Remote Server
Start an SFTP session:
$ sftp admin@files.company.com
Connected to files.company.com.
sftp>
For a non-standard SSH port:
$ sftp -P 2222 admin@files.company.com
To use a specific private key:
$ sftp -i ~/.ssh/deploy_key admin@files.company.com
Once you see the sftp> prompt, you're in an interactive session and can run commands against the remote server.
If you connect to the same servers regularly, save connection profiles in ~/.ssh/config to avoid retyping:
```
~/.ssh/config
Host files HostName files.company.com User admin Port 22 IdentityFile ~/.ssh/id_rsa ```
Now connect with just:
$ sftp files
Connected to files.company.com.
sftp>
This also works with ssh, scp, and any tool that uses SSH under the hood.
Essential SFTP Commands
Once you know how to use SFTP connections, the next step is mastering the commands. Here's the complete reference (see the official OpenSSH sftp manual for additional options):
| Command | What It Does | Example |
| ls | List remote files | ls -la /data/reports |
| cd | Change remote directory | cd /var/www/uploads |
| pwd | Print remote working directory | pwd |
| get | Download a file | get report.pdf |
| get -R | Download directory recursively | get -R /data/project |
| put | Upload a file | put document.docx |
| put -r | Upload directory recursively | put -r ./local-folder |
| reget | Resume interrupted download | reget large-backup.tar.gz |
| reput | Resume interrupted upload | reput large-backup.tar.gz |
| mkdir | Create remote directory | mkdir /data/new-folder |
| rm | Delete remote file | rm old-report.pdf |
| chmod | Change file permissions | chmod 644 report.pdf |
| df | Check remote disk space | df -h |
| exit | End the session | exit |
Use lcd, lls, and lpwd to navigate your local filesystem during an SFTP session. Here's a real transfer session showing navigation, download, and upload:
``` sftp> cd /data/projects sftp> ls -la drwxr-xr-x 5 admin staff 160 Apr 12 09:15 . -rw-r--r-- 1 admin staff 2.4M Apr 12 09:14 Q1-report.pdf -rw-r--r-- 1 admin staff 890K Apr 11 16:32 financials.xlsx drwxr-xr-x 3 admin staff 96 Apr 10 11:08 contracts
sftp> lcd ~/Downloads sftp> get Q1-report.pdf Fetching /data/projects/Q1-report.pdf to Q1-report.pdf /data/projects/Q1-report.pdf 100% 2457KB 12.8MB/s 00:00
sftp> put ~/Documents/updated-forecast.xlsx Uploading updated-forecast.xlsx to /data/projects/updated-forecast.xlsx updated-forecast.xlsx 100% 412KB 8.2MB/s 00:00 ```
Automating SFTP with Batch Mode
Once you know how to use SFTP interactively, the next step is automation. For scheduled transfers, cron jobs, or CI/CD pipelines, use SFTP's batch mode instead of interactive sessions. Create a text file with the commands:
```
batch-transfer.txt
cd /data/backups lcd /var/backups/daily put database-dump.sql.gz put application-logs.tar.gz exit ```
Execute it:
$ sftp -b batch-transfer.txt admin@files.company.com
sftp> cd /data/backups
sftp> lcd /var/backups/daily
sftp> put database-dump.sql.gz
sftp> put application-logs.tar.gz
sftp> exit
Schedule with cron for nightly automated backups:
```
/etc/crontab — run at 2:00 AM daily
0 2 * * * admin /usr/bin/sftp -b /scripts/batch-transfer.txt admin@files.company.com >> /var/log/sftp-backup.log 2>&1 ```
Batch mode requires key-based authentication — there's no way to enter a password interactively. If your batch job fails silently, this is almost always the reason. Set up SSH keys first.
For transfers that might be interrupted, start the session with the -a flag to enable automatic resume:
$ sftp -a -b batch-transfer.txt admin@files.company.com
SFTP Clients: Graphical Alternatives
Not everyone works in a terminal. These clients provide a drag-and-drop interface over SFTP:
- FileZilla — Cross-platform, open source. The most widely used SFTP client. Site manager saves connection profiles.
- WinSCP — Windows. Directory comparison, server-side editing, and a built-in scripting engine for automation.
- Cyberduck — macOS and Windows. Also integrates with cloud storage providers alongside SFTP.
- Transmit — macOS. Fast transfers with batch renaming and bandwidth throttling.
All of these still require SSH credentials and a configured SFTP server. They simplify the interface, not the underlying infrastructure.
Want file access without the SFTP overhead? MyWorkDrive provides browser-based access to your existing file shares — no client install, no SSH keys, no server to maintain.
Security Best Practices
- Use key-based authentication over passwords. SSH keys eliminate brute-force risk entirely.
- Disable password auth once keys work. In
/etc/ssh/sshd_configsetPasswordAuthentication no, thensystemctl restart sshd. - Use strong key algorithms. Ed25519 preferred. RSA 4096-bit minimum. Avoid DSA and RSA below 2048 bits.
- Chroot SFTP users to their home directories. This is critical for shared servers:
```
/etc/ssh/sshd_config
Match Group sftpusers ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no ```
- Monitor SSH logs for failed login attempts:
$ grep "Failed password" /var/log/auth.log | tail -5
Apr 14 03:22:11 files sshd[4821]: Failed password for admin from 203.0.113.42 port 52341 ssh2
Apr 14 03:22:14 files sshd[4821]: Failed password for admin from 203.0.113.42 port 52341 ssh2
- Keep OpenSSH updated. Patch promptly — SSH vulnerabilities directly expose your SFTP service.
Troubleshooting Common SFTP Issues
Permission denied on connection:
$ sftp admin@files.company.com
admin@files.company.com: Permission denied (publickey,password).
Check that ~/.ssh/authorized_keys contains your public key with 600 permissions. The .ssh directory needs 700. The home directory must not be group- or world-writable (this catches most people).
Connection refused on port 22:
$ sftp admin@files.company.com
ssh: connect to host files.company.com port 22: Connection refused
Verify SSH is running (systemctl status sshd), the firewall allows port 22 (ufw status), and the host is reachable (ping files.company.com).
Host key verification failed:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
The server's SSH key changed — possibly a reinstall, possibly a man-in-the-middle attack. Verify with your server admin first, then remove the old key:
$ ssh-keygen -R files.company.com
Transfer stalls on large files:
Run SFTP inside screen or tmux to prevent session drops. Use reget/reput to resume. Enable compression for slow links:
$ sftp -C admin@files.company.com
Debug any connection issue with verbose mode:
$ sftp -v admin@files.company.com
debug1: Connecting to files.company.com [192.168.1.100] port 22.
debug1: Connection established.
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/admin/.ssh/id_rsa
debug1: Authentication succeeded (publickey).
The -v output shows exactly where the handshake fails — key not found, key rejected, wrong username, wrong port. Read it line by line.
When SFTP Isn't the Right Fit
SFTP is built for server-to-server and IT-to-server transfers. It works well for automated scripts, developer workflows, and sysadmin file management. But for everyday business file sharing — where marketing needs project files, finance shares reports, or remote employees access department folders — SFTP creates real friction:
- Every user needs SSH credentials managed per server. Onboarding and offboarding is manual.
- No web browser access. Users must install client software or use a terminal.
- No built-in audit trail at the file level. You configure server-side logging separately, and it's not granular.
- No DLP or access controls beyond filesystem permissions. No download blocking, watermarks, or clipboard restrictions.
- No SSO or MFA integration. SSH key management is entirely separate from your identity provider.
- No compliance reporting. SFTP provides nothing for HIPAA, CMMC, GDPR, or FINRA out of the box.
For organizations with a non-technical workforce that needs file access, these gaps are deal-breakers.
MyWorkDrive: A Modern Alternative for Business File Sharing
MyWorkDrive provides secure HTTPS-based access to your existing file shares — without SSH keys, command-line tools, or SFTP server maintenance.
| SFTP | MyWorkDrive | |
| User Access | Terminal or client app | Browser, mapped drive, or mobile app |
| Authentication | SSH keys or passwords | SSO (Entra ID, SAML, ADFS) + MFA |
| Encryption | SSH on port 22 | TLS 1.2+ on port 443, FIPS validated |
| Audit Logging | Server-side SSH logs only | Complete file-level logging + SIEM export |
| DLP Controls | None | Download blocking, watermarks, clipboard control |
| Compliance | Manual configuration | HIPAA, CMMC, GDPR, FIPS, FINRA built in |
| Office Editing | Not supported | Browser-based Office Online editing |
| Setup | SSH config, keys, chroot jails | 15-min install, inherits AD/NTFS permissions |
MyWorkDrive connects to your existing Windows file servers, Azure File Shares, SharePoint, and other storage sources over HTTPS. No data migration, no SSH key distribution, no training users on terminal commands.
For IT teams maintaining SFTP servers specifically to give non-technical staff access to file shares, MyWorkDrive eliminates that overhead entirely.
SFTP still right for your workflow? Keep it — it's a solid protocol for technical transfers. But if you're running an SFTP server so business users can access shared files, there's a simpler path. Start a free trial or book a demo.
Frequently Asked Questions
What is the difference between SFTP and FTP?
FTP sends files and credentials in plain text, making it vulnerable to interception. SFTP encrypts everything — files and authentication — over SSH on port 22. FTP also requires separate ports for data and commands, complicating firewall rules. For business file transfers, SFTP is the minimum standard — though HTTPS-based solutions offer additional enterprise controls that neither protocol provides.
What port does SFTP use?
Port 22 by default, the same as SSH. Only one port needs to be open, unlike FTP which requires port 21 plus additional dynamic data ports.
How do I resume a failed SFTP transfer?
Use reget to resume downloads and reput to resume uploads. SFTP picks up where the transfer was interrupted. For batch jobs, start your session with sftp -a to enable automatic resume for all transfers.
Is SFTP secure enough for business file transfers?
SFTP encrypts data in transit and supports key-based authentication — it's secure for point-to-point transfers. But it lacks built-in audit logging, DLP controls, SSO integration, and compliance reporting. For regulated industries, MyWorkDrive provides HTTPS-based access with SSO, MFA, DLP, and full audit trails without SSH key management.
Can I automate SFTP file transfers?
Yes. Create a batch file with your commands and run sftp -b batchfile.txt user@host. Combine with cron for scheduled jobs. Key-based authentication is required since batch mode can't handle interactive password prompts.
What is a good alternative to SFTP for business use?
MyWorkDrive provides secure HTTPS-based file access to existing Windows file servers, Azure Files, and SharePoint — without SSH keys, command-line tools, or SFTP server maintenance. It includes SSO and MFA, DLP, audit logging, and compliance support for HIPAA, CMMC, and GDPR.
Get Started
SFTP is a solid protocol for technical file transfers. But if you're maintaining SFTP infrastructure so business users can access shared files, MyWorkDrive is a faster, simpler, more secure path.
▶ Start Free Trial — Full functionality. No credit card.
▶ Book a Demo — See MyWorkDrive as an SFTP alternative in your environment.
▶ SFTP vs MyWorkDrive — Full comparison page.
Related Articles