Guide
SFTP vs FTP: what's the difference and which should you use?
SFTP and FTP sound related but are different protocols with very different security. Here's how they compare on encryption, ports, and reliability, and why SFTP is the modern default.
“SFTP” and “FTP” look like the same thing with one extra letter. They aren’t. They’re different protocols from different lineages, and the gap between them is mostly about security. If you’re choosing between them today, the answer is almost always SFTP, and here’s why.
The one-line version
- FTP (File Transfer Protocol, RFC 959) is the original 1980s protocol. It sends data, and your password, in cleartext, over two separate connections.
- SFTP (SSH File Transfer Protocol) is a subsystem of SSH. Everything is encrypted and runs over a single connection.
They share three letters and very little else. SFTP is not “FTP with security bolted on”, that’s FTPS, a different thing again (see SFTP vs FTPS).
How they compare
| FTP | SFTP | |
|---|---|---|
| Encryption | None (cleartext) | Full (over SSH) |
| Password exposure | Sent in the clear | Encrypted |
| Connections | Control + separate data channel | Single connection |
| Ports | 21 + a data-port range | One (usually 22) |
| Authentication | Username / password | SSH keys or password |
| Firewall-friendly | Awkward (passive port range) | Simple (one port) |
| Status reporting | Numeric reply codes | SSH_FX_* status codes |
Why FTP is a problem
Plain FTP transmits your credentials and file contents as readable text on the wire. Anyone able to observe the network, a compromised router, shared Wi-Fi, an ISP tap, can capture the password and the data with an ordinary packet capture. No setting fixes this; it’s how the protocol works. The detail is in why plain FTP is insecure.
Why SFTP is the modern default
SFTP runs inside an SSH session, so credentials and data are encrypted by default. It also uses a single connection on one port, which is far easier to run through firewalls and behind load balancers than FTP’s two-channel design. You can authenticate with SSH keys (stronger than passwords, see SSH keys vs password authentication), and it supports directory listings, resumable transfers, and remote file operations.
Which should you use?
Use SFTP. For any new integration, file drop-zone, or partner connection, SFTP is the right default: secure, firewall-friendly, and widely supported. The only reason to touch FTP at all is a legacy partner who can’t do anything else, and even then it should be FTPS (FTP over TLS), never bare FTP.
If your files are headed for cloud object storage, a managed gateway gives you an SFTP front door onto a bucket you own without running a server. See SFTP to S3 or the full guides.
Try it on your own bucket
Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.
Start free