SFTP — Secure File Transfer Protocol — moves files between two computers over an encrypted connection, so the file and your password are scrambled the whole way across the network. The name confuses people. "Secure FTP" sounds like a safer version of plain FTP, but the two protocols barely share anything. SFTP rides inside SSH, the same encrypted channel admins use to log into remote servers. Plain FTP, by contrast, sends everything in the clear. Think of SFTP as a sealed armored truck and plain FTP as a postcard anyone along the route can read.

This guide walks through what SFTP is, how it works step by step, how it stacks up against FTP and FTPS, where teams actually use it, and the problems that come up in production. If you want the FTP side of the story first, start with what FTP is and how it works; for a shorter plain-language take on the secure version, see what SFTP is.

What Is SFTP?

SFTP is a way to send files over an encrypted SSH connection. SSH (Secure Shell) is the protocol admins already use to log into servers safely; SFTP is a part of it built specifically for moving files. Because everything travels inside that encrypted tunnel, the file contents and the login credentials are protected from anyone watching the network.

A few things make SFTP the default choice for secure transfers:

• Everything is encrypted. The file and your password both travel scrambled, so a snooper on the network sees gibberish.
• Flexible logins. You can authenticate with a password, with an SSH key (a long cryptographic credential that is much harder to guess than a password), or with both for extra safety.
• Tamper checks. SFTP verifies that the file that arrives is exactly the file that was sent, so silent corruption gets caught.
• One port. SFTP runs over a single network port (port 22), which keeps firewall rules simple. A network port is just a numbered door on a machine that a given service listens behind.

A Brief History of SFTP

Secure file transfer grew out of a problem that plain FTP could not solve.

• 1971 — FTP arrives. The original File Transfer Protocol was built to move files over ARPANET, the early internet. It had no encryption because almost nobody was eavesdropping yet.
• 1990s — the gaps show. As networks opened up and attackers got serious, FTP sending passwords in plain text became a real liability.
• 1995 — SSH is introduced. Secure Shell gave admins an encrypted way to connect to remote machines.
• Late 1990s — SFTP is built. Engineers added a file-transfer subsystem to SSH, giving the world an encrypted alternative to FTP that reused SSH's security.
• Today — the standard. SFTP is the protocol security-conscious organizations reach for when files have to move and an auditor is going to ask how.

How SFTP Works

SFTP runs every transfer inside an encrypted SSH session. Here is the sequence, plainly:

• Connect. Your SFTP client opens an SSH session to the server on port 22.
• Authenticate. The server checks who you are using a password, an SSH key, or both.
• Transfer. Once you are verified, files move through the encrypted tunnel — upload, download, rename, delete.
• Verify. SFTP checks the file's integrity so you know what landed matches what was sent.

That is the whole loop. The encryption is the part you do not see, and it is the part that matters.

SFTP vs. FTP and FTPS

The three protocols sound alike and behave very differently. Plain FTP sends files and passwords with no encryption at all, which is why most teams have moved off it for anything sensitive. FTPS bolts TLS encryption onto FTP, which works but opens several extra network ports and makes firewall rules fiddly. SFTP does the job through one port over SSH, encrypts the commands and the data together, and lets you log in with a key instead of a guessable password. For most teams, SFTP is the simplest of the three to lock down and the easiest to get through a firewall.

Where SFTP Gets Used

SFTP shows up anywhere files have to move and someone cares whether they leak.

In enterprise IT, teams use it to back up data to remote servers and to automate routine transfers — nightly log shipping, scheduled report drops, system-to-system handoffs that run on a script instead of a person.

In healthcare, SFTP carries patient records between providers and systems under HIPAA, the US law that governs how health data is handled. The encryption is what keeps those transfers compliant.

In finance and banking, banks exchange reports and transaction data over SFTP, which helps them meet rules like PCI DSS, the security standard for handling payment-card data.

In software development, teams use SFTP inside deployment pipelines to ship code and build artifacts between environments without exposing them along the way.

Common Problems and How to Fix Them

SFTP is dependable, but a few issues come up often enough to know by heart.

Logins fail. If you are using an SSH key, the key file usually needs tight permissions — 600, meaning only its owner can read it — or the server rejects it. Also confirm the server actually allows the method you are using, password or key.

Connections time out. This is almost always a firewall blocking port 22. Open the port, then check whether the network itself is slow or the server is overloaded.

Big files crawl. Compressing a file before sending it (with tar or gzip) cuts the bytes on the wire. Running several transfers in parallel also helps when you have many files to move.

You need to see what went wrong. The sftp -v flag (or -vvv for more detail) prints what the client is doing. On the server, the SSH logs — /var/log/auth.log on Linux, Event Viewer on Windows — show why a connection was refused.

SFTP and the Alternatives

SFTP is not the only way to move files securely, and it is worth knowing what sits next to it:

• MFT (managed file transfer). A platform that runs secure transfers for you and adds logging, automation, and central control on top of the raw protocol.
• AS2. A protocol for secure business-to-business exchange, common in retail and healthcare for sending documents like invoices and shipping notices.
• Cloud object storage (Amazon S3, Azure Blob). Encrypted storage in the cloud that some teams use directly instead of running an SFTP server.

Even with those options, SFTP stays the common denominator. Nearly every integration team, data-pipeline tool, and partner specification can fall back to it, which is why SFTP traffic keeps growing even as the protocols around it multiply.

Running SFTP on a Modern Platform

Most teams that outgrow a hand-run SFTP server have moved to a single platform that handles the protocol, the storage, and the audit trail in one place. The hard part of SFTP was never the transfer; it was keeping the server patched, the logins controlled, and a record of every file for the next audit.

Files.com is the cloud-native File Orchestration Platform built for that job. It runs its own SFTP stack — not a fork of OpenSSH you have to patch every time a vulnerability lands — and puts it in front of storage you already own, whether that is Amazon S3, Azure, Google Cloud, or a server in your own building reached through the Files.com Agent. Your partners connect over SFTP exactly as they do today, but there is no box for you to run, every transfer is logged for SOC 2 Type II and HIPAA, and a file arriving over SFTP can trigger an automated workflow on its own. If you specifically need a self-hosted, on-premises appliance instead, ExaVault is built for that.

To see managed SFTP in practice, explore Files.com's FTP and SFTP support or start a free trial — no credit card, live in minutes.