SFTP vs. FTPS: Which file transfer software is best for business use?

Secure File Transfer Protocol (SFTP) and File Transfer Protocol Secure (FTPS) are two of the most popular methods for moving files across unsecured networks, such as the internet. 

Equipped with cryptographic algorithms for authentication, data confidentiality and data integrity functionality, these secure FTP solutions are designed to protect data transfer and file sharing workflows from cyber threats. But which is the better option for business environments? Let’s take a closer look.
  1. Blog

What is SFTP?

SFTP is a file transfer protocol that’s normally packaged with Secure Shell (SSH), the network protocol most IT administrators use to access and manage remote Linux, UNIX and macOS machines in a secure manner. Most of these systems already have built-in support for OpenSSH, an open source implementation of SSH. Even later versions of Windows Server support OpenSSH. 

So, aside from being a capable remote access tool, one of the reasons SSH is so popular is its accessibility. In many cases, SSH would be pre-installed on an end user’s desktop, laptop or server. As a result, SFTP, which inherits cryptographic functionality from SSH and is even referred to as the SSH file transfer protocol, has also become a widely accepted secure file transfer tool. 

SFTP uses a single port, which is port 22 by default. So, if your SFTP server is behind a firewall and you want external users to reach it, your firewall rules only have to allow inbound connections on port 22. 

One of SFTP’s key security features is mutual authentication. Before an SFTP client and your SFTP server can establish a secure connection, they must first mutually authenticate. Basically, your server must authenticate with the client and the client must authenticate with your server. 

To learn more about server authentication, read the post: The SSH/SFTP key fingerprint and its role in server authentication.

To authenticate with your SFTP server, users, through their SFTP clients, normally just need to submit a valid username or user ID and password. However, if you want to strengthen the authentication process, you can also require users to submit SFTP or SSH keys

By requiring a password and an SFTP key for authentication, you’ll be implementing what’s known as two-factor authentication (2FA). 2FA makes it more difficult for hackers to gain unauthorized access even if they manage to steal a user’s password. 

As soon as an SFTP client and your server are done with their respective authentication processes, the two endpoints automatically establish an encrypted connection. Files transferred through this connection are well protected against attacks. Even if hackers manage to intercept the connection, they won’t be able to obtain any useful information from it. 

Want to know what hackers can do when they intercept files sent over an unencrypted connection? Read the blog post: How to prevent sniffer attacks with encrypted FTP.

What is FTPS?

FTPS is the successor of FTP, the once-ubiquitous protocol that has been in existence since the early days of the internet. FTPS retains all of FTP’s file transfer capabilities, but adds key security features like authentication, data-in-motion encryption and data integrity — the same mechanisms found on SFTP but implemented differently. These features are provided by the accompanying cryptographic protocol, Transport Layer Security (TLS), which succeeded the older Secure Sockets Layer (SSL) protocol. 

Like the FTP protocol, FTPS consists of a control channel and a data channel. Your FTPS commands go through the control channel, while your files go through the data channel. These two channels use different port numbers. While the control channel normally uses port 21, the data channel uses either port 20 or a random port. The value of that data channel port number depends on the data connection mode used. 

A discussion on FTP data connection modes is beyond the scope of this article. However, if you want to learn more about them (and I encourage you to if you intend to use FTPS), read the blog post: Active mode vs. passive mode FTP simplified.

Like SFTP, FTPS also supports mutual authentication. This can be implemented using SSL/TLS digital certificates. You can also combine password-based authentication with SSL/TLS client authentication to achieve a 2FA system similar to the one in SFTP. Again, as soon as the authentication process completes, the FTPS client and server establish an encrypted connection — just like in SFTP. 

So, yes, SFTP and FTPS have similarities. That said, they do have multiple differences as well. We’ve outlined the key differences between these two protocols in the matrix below. 

Key differences between SFTP and FTPS

Technical feature

SFTP

FTPS

Underlying protocol

SSH

FTP with SSL/TLS

Command and data channels

One channel for commands and data

Two separate channels, one for commands and another for data

Encryption mechanism

SSH-based encryption. Commands and data are encrypted always

SSL/TLS-based encryption. May be configured to encrypt both command and data channels, or just the command channel

Port usage

Single port (port 22) for all communication

Multiple ports. Port 21 for command/control channel, and 20 or random ports for the data channel

Authentication methods

Password-based authentication and public key authentication using public keys and private keys

Password-based authentication and certificate-based authentication

File management

Directory listing, file create, delete and rename

Directory listing, file create, delete and rename

Compatibility

Primarily designed for SSH-based environments like Linux, UNIX and macOS, but can be implemented differently to be more compatible (see discussion on JSCAPE MFT Server below)

Easily integrated with FTP legacy systems and widely supported in Windows environments, but can likewise be implemented differently to be more compatible (see discussion on JSCAPE MFT Server below)

Having explored the major qualities and key differences between SFTP and FTPS, we can now examine the specific use cases each protocol is best suited for. Here are some of them. 

When to use SFTP

The other party prefers SFTP

Interoperability should always be a major consideration when choosing a file transfer protocol. If you and the other party can’t agree on a common protocol, you can’t exchange data. So, if the other party can only use SFTP and you have the ability to adapt, then you should use SFTP as well. 

You want a firewall-friendly protocol

Firewall-related interconnectivity issues can be quite challenging. Unfortunately, FTPS connections, which use a complex combination of ports that vary depending on the data connection mode, are prone to these types of issues. If you want to avoid firewall-related problems, then you should use SFTP. SFTP only requires a single connection port, so it’s easier to configure on your server-side and client-side firewalls. 

You’re already using SSH

This is a no-brainer. If you’re already using SSH for remote access and management, then you likely have built-in SFTP support. You likely already have the infrastructure and skill to carry out SFTP-based file transfers. Thus, it won’t take a lot of additional effort to implement SFTP. 

When to use FTPS

The other party prefers FTPS

Again, if the other party can only use or prefers to use FTPS, then you should use FTPS as well. Otherwise, you’ll be stuck with an interoperability issue that would prevent you from exchanging files. 

You’re used to transferring files via FTP

FTPS retains most of FTP’s command set. So, in a way, it provides some level of FTP support. Thus, if you’re already used to uploading files to an FTP server through a command-line FTP client or already have FTP scripts in place for your automated file transfer workflows, then it’s going to be easier to migrate to FTPS than to SFTP. 

You’re familiar with SSL/TLS certificates

As mentioned earlier, FTPS relies heavily on SSL/TLS certificates. If you’re managing web servers, you’re likely already well-versed in digital certificate administration and have the necessary infrastructure in place. So, yes, in this case, you should probably pick FTPS over SFTP.  

SFTP vs. FTPS use case comparisons

Here’s a longer list of use cases for each protocol. 

Use case

SFTP

FTPS

Firewall configuration

Easier to configure since it only uses a single port, 22

More difficult to configure since it uses multiple ports, and one set of ports are dependent on the data connection mode (Active or Passive FTP) used

Legacy systems integration

Doesn’t easily integrate with legacy file transfer systems compared to FTPS

Partly compatible with legacy FTP systems, so it offers better integration with legacy systems compared to FTPS. 

Regulatory compliance for HIPAA, PCI DSS, GDPR and others

Meets regulatory requirements for authentication, data-in-motion encryption and data integrity

Meets regulatory requirements for authentication, data-in-motion encryption and data integrity

Large file transfers

Can support 

Can support

Secure file sharing

SFTP servers can be configured to support file sharing, with varying degrees of folder permissions

FTPS servers can be configured to support file sharing, with varying degrees of folder permissions

Support SFTP and FTPS with a single solution

In many interconnected business environments, SFTP and FTPS often need to co-exist. Some organizations require SFTP, while others may only support FTPS. If you need to exchange data with both types of organizations, you’ll have to provide support for both protocols. Additionally, in many cases, you may need to support other protocols like Applicability Statement 2 (AS2) or Odette File Transfer Protocol (OFTP) as well. 

When faced with this scenario, it’s easier to adopt a solution that supports multiple protocols. Managed file transfer solutions, like JSCAPE MFT Server by Redwood, offer this capability. JSCAPE MFT Server, in particular, supports:

  • SFTP
  • FTP/S
  • AS2
  • OFTP
  • WebDAV/S
  • HTTP/S
  • And others

In addition, it seamlessly integrates with an extensive selection of apps and services, including:

  • SMB shares
  • CyberArk
  • AWS S3
  • DropBox
  • Google Drive
  • Google Cloud Storage
  • Microsoft Azure Data Lake
  • ActiveBatch by Redwood
  • IMAP
  • Tidal by Redwood
  • And many others

JSCAPE MFT Server can be installed on all major server operating systems, including Windows, UNIX, Linux, macOS, Solaris and IBM AIX. This deployment flexibility ensures maximum compatibility with your existing IT infrastructure. 

Would you like to see how easy it is to set up SFTP and FTPS services on JSCAPE MFT Server? Book a quick demo now.