SFTP vs. FTPS: Their Differences

SFTP stands for Secure File Transfer Protocol but sometimes goes by the name of SSH File Transfer Protocol. As the name suggests, SFTP uses SSH encryption to securely transfer data between two systems. Following that, SFTP’s main usage becomes apparent, which is to provide users the facility to transfer files securely. Other uses of SFTP include viewing, managing and changing directories and files from remote locations. The main advantages of SFTP include good scalability, easy file management, data security, ease of access, low costs of doing business and no requirements for new hardware. However, there are a few drawbacks of SFTP, including VCL and .NET not supporting SFTP, lack of recursive directory removal tools, many SFTP configuration standards leading to compatibility problems, and a complex system of managing and validating SSH keys and binary communications (no logging options).

The term FTPS stands for File Transfer Protocol Secure. Essentially, FTPS represents File Transfer Protocol (FTP) with support for TLS (Transport Layer Security). Like SFTP, FTPS is used to exchange files between businesses, customers, users and other partners. The main advantages of FTPS include human-readable communication logs, the ability to execute server-to-server transfers, strong authentication features and widespread support. FTPS’s disadvantages include lack of standardization when securing and modifying file or directory attributes, lack of filename character set guidelines, incomplete support for TLS/SSL on many FTP servers, and complex implementation on machines with firewalls due to secondary DATA channels.


What is SFTP?

An image featuring SFTP secure file transfer protocol concept

The SSH File Transfer Protocol is a secure client-server file protocol that helps transfer files over the internet. As mentioned above, SFTP is an advanced form of FTP and SSH developed by the Internet Engineering Task Force.

How SFTP Works

So, what is SFTP and how does the protocol work? SFTP establishes a secure connection—and protects all files that need to be transferred—by creating a data stream channel over SSH or Secure Shell. The SFTP protocol uses powerful encryption algorithms to keep files unreadable and provide a safe channel for the data to move through. Various SFTP authentication methods stop malicious actors from accessing files or transferring data while in this transition.

What are the Methods of SFTP?

The methods of SFTP are explained below.

  1. SFTP Authentication: ID & Password
  2. SFTP Authentication: SSH Keys

1. SFTP Authentication: ID & Password

The SFTP authentication method of ID and password combination essentially requires the valid credentials of a given user. But first, the username and password authentication must be enabled. To enable ID and password authentication, the user should create a static service account with the credentials on the SFTP server. Then a known_hosts file must be created. The main feature of authentication via an ID and password is that no private/public keys are required.

2. SFTP Authentication: SSH Keys

An image featuring a laptop that has SSH keys on it concept

The SFTP authentication SSH keys method is used when the user needs to be identified with the SSH protocol. SSH keys are used to identify the user when logging in through an SSH server. SFTP authentication via SSH keys is generally considered more secure than the ID and password method of authentication. The main feature of authentication through SSH keys is that a user can connect to multiple servers with SSH keys and an SSH agent, which leads to easier logins. Another great feature of SSH keys for SFTP authentication is enhanced security. Companies that manage sensitive information usually go to SSH keys, which can extend up to 4096 bits in length. SSH keys also have a feature where only approved devices can access corporate assets or services rather than any device with the correct username and password.

What is FTP?

An image featuring FTP file transfer protocol on laptop concept

So, what is FTP? First, an easy way to think about this question is to consider FTPS as an extension of FTP. FTPS comes with support for both SSL and TLS. Like SFTP, FTPS is a secure file transfer protocol allowing companies to transfer files over the SSL protocol. FTPS can encrypt all information moving through the internet because of TLS and SSL support.

FTPS is a bit different from FTP, though. The term FTP stands for File Transfer Protocol, which is also a network protocol that allows files to transmit between two devices. However, FTP enables data transfer over the TCP/IP protocol.

There are three types of FTP connections. The first is the simple FTP. FTP connections are unencrypted and usually use port 21 by default. Almost all mainstream browsers have support for FTP. The second type of FTP connection is FTPS. Sometimes, the FTPS connection is known as implicit SSL/TLS FTP, which does support encryption connections similar to HTTPS. FTPS uses SSL to secure communications as soon as a given session starts. FTPS makes use of port 990 by default. Even though encrypted FTP connections have been around for a long time, the technology is more or less deprecated. Very few mainstream web browsers have support for FTPS.

The third type of FTP connection is explicit FTP over TLS/SSL. This type of FTP connects using port 21 but then makes use of FTP special commands to upgrade the connection to SSL/TLS with encryption. The upgraded connection is fully established even before the user gets the opportunity to send login credentials. FTPES, which is sometimes considered a newer version of encrypted FTP, has decent support and doesn’t cause problems with more firewall configurations. But again, very few web browsers support FTPES.

How FTP Works

An image featuring two laptops with file data transferring between them concept

FTP is nothing but a file transfer protocol used to establish communication channels between computers. FTP is widely considered a client-server protocol. FTP needs two communication channels between the server and the client. The two channels are called control connection and data connection. When an FTP client such as FileZilla sends a request for a connection to server port 21, that “control connection” is used to receive and send commands and the responses to those commands. Users usually have to provide login credentials to connect to such FTP servers. As the name suggests, the data connection is the channel that the client and server use for moving folders and files.

FTP is able to establish a connection in two main ways: active mode and passive mode. In active mode, the user makes use of a random port available via the FTP client to connect to the FTP server through port 21. The client sends a PORT command, and the server responds by connecting to the specified port of the client. The FTP server uses port 20 to connect to the specified FTP client port. Once this connection is in place, any data transfer can only happen between the client and the server.

In the passive mode, the FTP client is unable to form a connection because of a firewall and hence must activate the passive mode. The user has to use a random port via an FTP client to a server by using port 21 on the server. Unlike active mode, the passive mode requires the command PASV to be sent so that the FTP client can know the precise port to use for a connection. Both the client and the server have to use random ports to form a connection and transfer data.

This is important:

As mentioned, there are many advantages of using FTP for transferring data, such as support for multiple file transfers, the ability to resume a disrupted transfer, a lack of file size limits, scheduled transfers, an option to form queues and a fast transfer rate compared to HTTP.
An image featuring file transferring between a mobile phone and a laptop concept

FTPS is similar to FTP but supports security measures to keep data safe from hackers and other malicious actors. FTPS essentially improves upon FTP by making use of Transport Layer Security and Secure Sockets Layer to add sufficient security for file transfer that organizations can benefit from. In terms of how FTPS works, there are two modes of operation: implicit FTPS and explicit FTPS. Implicit FTPS is the older method and uses a separate port 990 to establish a secure connection with encryption enabled. Users also have to log in before any kind of file transfer can take place.

Explicit FTPS is sometimes called FTPes. Explicit FTPS is different from implicit FTPS because this method uses a single control port to establish a connection, which is port 21. The client or the server can then request an upgrade to have an SSL connection for more security. All of such decisions have to be made before any file transfer.

Explicit FTPS offers more flexibility and configuration options than implicit FTPS and hence is more widely supported.

What is the Difference between SFTP and FTPS in Data Exchange?

An image featuring two people sharing files concept

In terms of data exchange rates, SFTP consumes more resources while FTPS is light on resource consumption and has a more straightforward process when setting up connections for data exchange. FTPS leverages the older FTP protocol and then adds an extra layer of protection through encryption to any communications or file transfers. Using the FTPS protocol, the client can connect to the server in a secure environment without any allowance for negotiation.

On the other hand, SFTP essentially verifies the two parties, then allows the two devices to meet and form a connection. Any data exchange will happen after SFTP has verified the users and connection security. If FTPS is an advanced version of FTP, then SFTP is an advanced version of SSH protocol.

FTPS uses two separate channels for data exchange: the data channel and the command channel. The command channel connects to port 21 on the server, accepts client connections and handles all the simple commands between a server and a client. For authentication, the USER and PASS command is used. The data channel uses temporary ports to listen to the server on-demand. Based on which mode is used (passive or active), the data channel may use temporary ports on the server or on the client. The data channel enables file transfers and directory listings.

In the case of SFTP, there are no separate data and command channels. SFTP uses a single connection through which commands and data are sent/received.

Hence, both SFTP and FTPS use encryption and protect data such as file content, passwords and users. But both have a different way of achieving the same outcome.

What is the Difference between SFTP and FTPS in Security?

An image featuring a person transferring files on PC concept

When talking about security, FTPS comes in two variants: FTPS implicit SSL and FTPS explicit SSL. As indicated earlier, in FTPS implicit SSL, the first requirement is to establish a secure connection between a server and a client before any data can be transferred. In other words, the server will refuse any FTP connection that does not use SSL. FTPS explicit SSL is where the client and server can negotiate what kind of protection is used. Such a server is able to support encrypted FTPS and unencrypted FTP sessions via a single port. An FTPS explicit SSL session can allow the client to form an unencrypted session with an FTP server. But before moving any user credentials, the client sends a request to the server to switch the command channel to SSL. Only after an SSL channel has been established does the client transfer user credentials. A similar process is followed to protect the data channel using different commands.

In the case of SFTP, the client and server agree on an encryption cipher before any data is transferred. But SFTP provides more ways to protect SFTP sessions, such as public and private keys. Known as public key authentication (discussed in a previous section), SFTP offers a powerful alternative to the common username and password combination method of authenticating users. SFTP allows users to either use one (or the other) or a combination of both.

Unlike SFTP, FTPS doesn’t strictly require a verified and/or pre-established connection between a client and a server. Since FTPS is built on the FTP protocol, which does not encrypt data when transferring data, FTPS can only add a TLS or SSL protection layer at the application level. Some consider SFTP’s approach to securing communications more robust.


Readers should also note that even though both SFTP and FTPS support the same algorithms (key exchange, symmetric and asymmetric), FTPS performs authentication via x.509 certificates, while SFTP completes the authentication process via SSH keys.

What is the Difference between SFTP and FTPS in a Firewall?

An image featuring a secure firewall on PC concept

The difference between SFTP and FTPS in the firewall department is that FTPS servers allow inbound connections on both port 990 and port 21. For directory listings and file transfers, servers support a wide port range. FTPS servers also do not prohibit inbound connections made via passive port ranges. On the client-side, FTPS allows outbound connections to port 21. The FTPS server defines the passive port range. SFTP, on the other hand, allows inbound connections via port 22 on the server-side and inbound connections to port 22 on the client side.

But what is a firewall and how does this relate to SFTP and FTPS? Generally, both FTPS and SFTP have different compatibility potentials with different firewalls. FTPS is able to use multiple ports and requires a separate data channel to start transferring files. That makes FTPS a bit harder for various firewalls to work with. Since SFTP only uses a single connection to establish communication channels between a server and a client, firewalls find SFTP connections easier to deal with.

Since FTPS has more functions, connections over FTPS tend to cause client and server interoperability problems. SFTP has slightly more comprehensive support with modern systems and devices. However, even SFTP can cause difficulties when communications occur within .NET and VCL frameworks.

Damien Mather Damien is a cybersecurity professional and online privacy advocate with a bachelor of Computer Science. He has been in the industry for 20+ years and has seen the space evolve far bigger than he ever thought. When he is not buried in his research or going through code, he is probably out Surfing or Camping and enjoying the great outdoors. 
Leave a Comment