SFTP and SSH are both secure protocols, but they serve different purposes. SSH is used for secure remote access, while SFTP is used for secure file transfers, and it runs over SSH. This guide explains how they differ, how they work together, and which one to use.
When connecting to a remote computer or transferring files between computers on a network, security is a priority. Usernames, passwords, commands, and file data need to be encrypted in transit so they can't be intercepted, read or altered on the way.
That’s where SSH and SFTP come in. They’re closely related and work toogether, but they’re not interchangeable.
What is SSH? What is SSH used for?
SSH, or Secure Shell, is a network protocol introduced in 1995 to enable secure remote access over unsecured networks. It was designed to replace older, unencrypted protocols like Telnet, which exposed usernames, passwords, and session data to potential interception.
SSH works by establishing an encrypted tunnel between a client and a remote server. Within this tunnel, users can log in, execute commands, and manage files with complete confidentiality and integrity.
The most common use case for SSH is secure remote login, providing command-line access to a server as if you were sitting at its terminal. System administrators, developers, and IT teams rely on SSH for tasks like:
- Managing remote Linux or Unix servers
- Deploying code and running scripts
- Viewing logs and monitoring services
- Transferring files securely using SFTP or SCP
- Tunneling traffic for secure connections between applications
SSH also supports key-based authentication, port forwarding, and session multiplexing, making it far more versatile than simple remote access tools. In some cases, it can even be used creatively (for example, streaming audio input between machines) though its core role remains secure command execution and system administration.
When comparing SSH vs SFTP, it's important to understand that SSH is the encryption protocol that enables SFTP to function. SFTP runs inside SSH, which negotiates key exchange, ciphers, and integrity protection, then encrypts the full session: authentication, commands, directory listings, and file data.
What is SFTP? How does SFTP use SSH?
SFTP stands for SSH File Transfer Protocol, often mistakenly called Secure File Transfer Protocol. The name points to its foundation on the SSH protocol, which SFTP depends on for authentication, encryption, and secure session management.
Introduced in the late 1990s, SFTP was quickly asopted as a secure replacement for the FTP protocol, but it isn't a secure version of FTP as is the common assumption. It's its own protocol.
Once SSH establishes the encrypted connection, SFTP uses that same protected channel to transfer files and to perform file operations on the server without exposing data to the network. Because SFTP is layered over SSH, it protects not only the file contents but also the authentication credentials, commands, and metadata involved in the transfer.
Key features of SFTP include:
- Encrypted file transfers over any network, including public or untrusted ones
- Uploading and downloading files securely
- Listing directories and navigating folders
- Renaming, deleting, and changing attributes (depending on permissions)
- Authentication via SSH keys or passwords
- Encrypted command and metadata exchange
- Uses a single port (typically port 22), which simplifies firewall setup
Unlike FTP or FTPS, SFTP isn't just a file transfer protocol with added security, it’s a purpose-built solution that ensures every part of the session remains protected. Want to know about SFTP and compliance?
SFTP vs. SSH: Key differences
While SFTP and SSH are closely related, they serve distinct purposes and operate in different ways. Here are the main differences:
- Primary function:
SSH is used for secure remote access and command-line operations, while SFTP is specifically used for secure file transfers. - Protocol purpose:
SSH is a general-purpose secure communication protocol. SFTP is a specialized protocol built on top of SSH for managing files. - Data type:
SSH transmits command input/output data. SFTP transmits files and directory metadata. - Client tools:
SSH connections are made using clients likessh, PuTTY, or Terminal. SFTP requires a file transfer client like FileZilla, WinSCP, orsftp. - Supported actions:
SSH enables command execution, port forwarding, and tunneling. SFTP supports uploading, downloading, and managing files and directories. - Session behavior:
SSH sessions are interactive (typically command-line terminals). SFTP sessions are transactional and file-oriented.
SFTP vs. SSH: How are they similar?
SFTP relies on SSH for its secure communication layer, so the two protocols share several key security features:
- Encryption-based communication:
Both SSH and SFTP encrypt all data in transit to prevent unauthorized access, tampering, or interception. - Private/public key authentication:
Both protocols support asymmetric key pairs, where a public key is shared and the private key remains secure on the client side. This method offers stronger protection than passwords alone.
You can read more about key-based authentication here. - Password-based login:
In addition to key authentication, both protocols support username and password login methods, depending on configuration. - Authentication audit logs:
Logs can be configured for both successful and failed login attempts, helping administrators track access activity. - Login attempt restrictions:
Both protocols allow for limiting failed login attempts to protect against brute-force attacks.
When should I use SSH vs. SFTP?
Use SSH when you need:
- Secure remote administration
- Command execution on a server
- Tunneling traffic between systems
- Interactive troubleshooting
Use SFTP when you need:
- A predictable "drop here and pick up there" workflow
- Partner or vendor file exchange without giving shell access
- Batch exports and scheduled transfers
- A widely supported secure file transfer method across tools and platforms
In many organizations, the answer is not “SSH or SFTP.” It’s “SSH for administration, SFTP for file workflows,” with separate access boundaries for each. Why not explore our detailed Encryption Selection Guide?
Check out SFTP To Go
If you want SFTP file transfer without running and scaling SSH servers yourself, SFTP To Go provides managed SFTP with Amazon S3 for built-in storage and additional protoccol support like FTPS, and HTTPS for secure web portal management, as well as REST APIs to customise and automate your service.
Frequently asked questions
Is SFTP the same as SSH?
No. SFTP and SSH are not the same. SSH is a secure communication protocol used for remote command-line access. SFTP is a file transfer protocol that runs over SSH, using it to create a secure channel for transmitting files.
What is SSH used for?
SSH is used for secure remote login, command execution, server management, and encrypted tunneling. It's widely used by developers and administrators to manage infrastructure remotely over unsecured networks.
What is SFTP used for?
SFTP is used to securely transfer files over an encrypted SSH connection. It ensures that file contents, metadata, and credentials are protected during upload, download, and directory management.
How does SFTP use SSH?
SFTP operates as a subsystem of SSH. It starts by establishing a secure SSH session, then uses that encrypted channel to transfer files, issue commands, and interact with the file system securely.
Which is more secure: SFTP or SSH?
They offer the same level of encryption and authentication. SFTP runs on top of SSH, so it inherits all of SSH's security features while adding structured file transfer capabilities.
Can I use SSH without SFTP?
Yes. SSH can be used on its own for shell access, command execution, and port forwarding. SFTP is an optional feature that must be enabled separately on the SSH server if file transfer is needed.
What is the difference between an SFTP user and an SSH user?
An SSH user typically has shell access to the server. An SFTP user may only be granted permission to transfer files, without access to terminal or command-line functions.
What does “SFTP with SSH key pair” mean?
It means that instead of using a password, the user authenticates with a private SSH key paired to a public key stored on the server. This method is more secure and often used for automated transfers.