SFTP — Secure File Transfer Protocol — is the standard way two systems exchange files over an encrypted SSH connection. SSH is the same secure-login protocol admins use to reach a server's command line; SFTP rides on top of it, so the file transfer is wrapped in the same encryption. The result is that the file, the username and password, and every command travel scrambled across the network instead of in the clear.

SFTP is the most common way businesses hand files to each other. Banks send settlement files over SFTP. Healthcare clearinghouses exchange insurance claims over SFTP. Payroll providers deliver pay data to vendors over SFTP. Almost any time one company tells another "drop the file here," the "here" is an SFTP server.

What has changed about SFTP is not the protocol. It is the machine running it. Most SFTP today runs on a server somebody set up years ago, where patching the software, rotating the keys, adding storage, and saving the logs are all separate manual chores. The protocol is the same one it has always been; the question is who keeps the lights on.

How SFTP Works

SFTP uses a client-server model. The server is the computer that holds the files and waits for connections. The client is the program you run to reach it — a desktop app, a command-line tool, or a script. You point the client at the server's address, log in, and move files.

Here is the order of events when you connect:

1. The client opens a connection to the server on port 22 (the same port SSH uses).
2. The two sides set up an encrypted channel, so everything after this point is scrambled.
3. You log in — with a password, or with an SSH key (a pair of files that proves who you are without a password).
4. Once you are in, you upload, download, rename, delete, and list files using SFTP commands.

A port is just a numbered door on a server; port 22 is the door SFTP knocks on. Because the encrypted channel is set up before you even log in, your password is never exposed, which is the whole point of SFTP over plain FTP.

SFTP vs FTP: What's the Difference

FTP, the original File Transfer Protocol, does the same job — move files between two computers — but it sends everything in plain text. Anyone who can watch the network sees the files and the login credentials in the clear. That was fine in 1971, when FTP was defined and the network was a trusted research lab. It is not fine on today's internet.

SFTP fixes that one problem: it wraps the whole session in SSH encryption. Same basic actions, same client-server shape, but nothing readable crosses the wire. There is a third option, FTPS, which is FTP with a layer of TLS encryption bolted on; it works, but it uses more network ports and is harder to get through firewalls, so most teams reach for SFTP. If you want the full breakdown, the guide to SFTP and the secure file transfer landscape walks through each option.

The short version: if you are moving anything you would not want a stranger to read, use SFTP, not FTP.

Why Legacy SFTP Servers Become a Burden

A single SFTP server works fine on day one. The trouble shows up over the months and years after.

• Patching never stops. SFTP software has security flaws found and fixed on a regular schedule. Each fix means someone has to update the server, often during a maintenance window. Miss one and the box is exposed.
• Keys and users pile up. Every partner needs an account and a key. Adding, removing, and rotating those by hand is slow and easy to get wrong, and a forgotten key is a way in for someone who should be locked out.
• Scaling means buying more boxes. When traffic spikes or new partners come online, a single server runs out of room. Adding capacity means provisioning and configuring another machine.
• The logs are scattered. A bare SFTP server keeps thin records, often on the box itself. When an auditor asks "who downloaded this file and when," piecing the answer together is a scramble.

None of these is a flaw in the SFTP protocol. They are the cost of running the server yourself.

Running SFTP on a Modern Platform

Most teams that outgrow the patch-it-yourself SFTP box have moved to a single platform that runs the server for them. Files.com is the cloud-native File Orchestration Platform: one platform that replaces the stack of legacy tools IT teams run to move files — SFTP and FTP servers, MFT suites, file-sharing apps, and the custom scripts holding them together. It speaks every protocol, connects 50+ cloud and on-prem systems, automates every transfer, and keeps a complete audit log of who touched what.

For SFTP specifically, that means a managed SFTP endpoint your partners connect to exactly as they always have — same clients, same logins, same scripts — with none of the server to run or patch. The SFTP stack is built in-house, not a fork of OpenSSH, so there is nothing to scramble to update when a new CVE lands. The endpoint can sit in front of storage you already own, like an S3, Azure, or Google Cloud bucket, and reach systems inside your own network through the Files.com Agent and remote servers. Every transfer is logged automatically for SOC 2 and HIPAA, and a file arriving over SFTP can trigger an automated workflow on its own.

To see how managed SFTP works in practice, explore Files.com's FTP and SFTP support, or start a free trial — no credit card, live in minutes.