Guide

SFTP for DigitalOcean Spaces: a complete setup guide

How to expose a DigitalOcean Spaces bucket over SFTP, why it suits teams already on DigitalOcean, how to create Spaces access keys, and how to connect a managed gateway.

DigitalOcean Spaces is S3-compatible object storage with a built-in CDN, priced simply and aimed at teams already running on DigitalOcean. If your app, droplets, and databases live there, keeping file exchange in the same account is convenient. Spaces doesn’t provide SFTP directly, so you put a gateway in front of it to give partners a normal SFTP login.

Here’s the setup.

Why Spaces specifically

  • Same account as the rest of your stack. If you’re already on DigitalOcean, your SFTP drop-zone sits next to your droplets and managed databases, one bill, one console.
  • S3-compatible with a bundled CDN. Standard access keys and a regional endpoint, plus a CDN edge if you also serve the files publicly.

Step 1: create a Space

In the DigitalOcean console: Spaces Object Storage → Create a Spaces Bucket. Pick a datacenter region (it sets your endpoint) and keep it private (restrict file listing).

Step 2: create a Spaces access key

Spaces keys are separate from your DigitalOcean API token:

  1. API → Spaces Keys → Generate New Key.
  2. Save the Access Key and Secret, the secret is shown once.

Your endpoint is regional:

https://<region>.digitaloceanspaces.com      e.g. https://nyc3.digitaloceanspaces.com

Step 3: connect Spaces to a managed gateway

With Firepipe, add Spaces as an S3-compatible backend:

  1. Choose S3-compatible when adding a connection.
  2. Enter the Spaces regional endpoint, Access Key, and Secret. The key is stored encrypted and scoped to your Space, rotate or revoke it at will.
  3. Create per-user SFTP credentials, each path-jailed to its own prefix.

Partners connect over SFTP and their files stream into your Space. Nothing is custodied on the gateway, and the data stays in your DigitalOcean account.

Step 4: per-user access and audit

One credential per partner (SSH key or password), each jailed to its own path, with a full exportable audit trail. Revoking a credential ends any live session, and you can pin a credential to specific source IPs.

A note on the bundled CDN

Spaces includes a CDN. That’s handy if you also serve the uploaded files publicly, but be deliberate: an SFTP drop-zone is usually meant to be private. Keep the Space’s file-listing restricted and only expose via the CDN the specific paths you intend to publish. Your Spaces usage is billed by DigitalOcean directly; the gateway meters only throughput, with no per-operation fees.

Summary

Spaces + SFTP is the natural choice when you’re already on DigitalOcean and want file exchange in the same account. Create a private Space, generate a Spaces key, and point a managed gateway at the regional endpoint, files land in your Space, with per-user, revocable access.

Try it on your own bucket

Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.

Start free

← All guides