SFTP Servers for Business: Self-Hosted vs Hosted SFTP

An SFTP server is software running on a host that accepts incoming SFTP client connections over port 22, authenticates users with passwords or SSH keys, and exchanges files over an encrypted SSH session. The choice every team faces: run one yourself, or buy SFTP-as-a-service from a managed provider. Both are valid; the right one depends on team size, partner mix, compliance posture, and how much engineering capacity you want spent on file-transfer infrastructure versus the rest of the product. This post walks through both options with honest cost-of-ownership math.

What an SFTP server actually does

The protocol layer is straightforward — every reasonable SFTP server (open-source or commercial) handles:

• Accepting incoming connections on port 22 with the SSH protocol's encryption and host-key verification.
• Authenticating users — passwords against a local user database, or SSH public keys against authorized_keys files.
• Executing file operations that the client requests: directory listing, file upload, file download, rename, delete, permission changes, symlink creation.
• Optionally: chroot per user, transfer logging, bandwidth limits, IP allowlisting, custom virtual users.

What an SFTP server doesn't include out of the box: queryable audit logs, MFA, SSO integration, SLA-grade availability, automated backups, capacity scaling, compliance reporting, key-rotation automation. Each of these is a thing you bolt on, build, or pay extra for.

Self-hosted SFTP: the four main options

For shops running their own SFTP server, four implementations dominate:

• OpenSSH sftp-server — ships with every Linux and macOS system. Free, mature, the most secure SFTP daemon by reputation. One line of sshd_config enables it. Best for SFTP-only deployments where you don't also need FTP/FTPS.
• ProFTPD with mod_sftp — heavier-weight, extensible via modules, supports FTP and FTPS alongside SFTP on the same backend. Best when you need multiple protocols on the same server.
• vsftpd — FTP-focused, doesn't speak SFTP natively but pairs with OpenSSH for the SFTP side. Common on Linux distributions for FTP/FTPS workloads.
• Cerberus FTP Server, Globalscape EFT — commercial Windows-friendly servers with GUI management, AD integration, and vendor support. Best for Windows-centric enterprises.

For SFTP-only workloads, OpenSSH is usually all you need. For multi-protocol shops (SFTP + FTPS + FTP), ProFTPD is the open-source default.

The real cost of running your own SFTP server

The list price of OpenSSH is $0. The total cost of ownership is not. Counting honestly:

• Compute and storage — a single VM with adequate disk for ~$50/month at most cloud providers. Scaled for high availability (two instances behind a load balancer + replicated storage), ~$200–500/month.
• Patching and maintenance — every OpenSSH advisory is a maintenance window. Realistically 4–8 hours of engineering time per quarter.
• User and key management — adding a partner, rotating a key, revoking access. Either you wrote a script (an hour amortized) or you're doing it by hand (an hour per partner per change).
• Audit logging infrastructure — turning /var/log/auth.log into a queryable audit trail requires a log-aggregation layer (Loki, ELK, Splunk). Either a self-hosted setup (compute + storage + maintenance) or a SaaS bill (~$50–500/month).
• Monitoring and alerting — "is the SFTP server up" and "did partner X's daily batch arrive" need explicit health checks. A few hours of setup, ongoing on-call attention.
• Compliance evidence — SOC 2, HIPAA, PCI evidence collection. Either built into your existing compliance program or a separate project.
• Engineering capacity — the recurring cost of having "the SFTP server" on someone's plate, whether they're actively touching it or not.

For most teams, the all-in honest number lands somewhere between $500 and $5,000/month in equivalent cost, plus the engineering capacity it consumes. The $0 list price is misleading.

Hosted SFTP: when buying makes sense

Hosted SFTP (or "SFTP-as-a-service") is the alternative: a vendor runs the SFTP server, you get an endpoint and credentials. The vendor handles patching, certificate rotation, availability, audit logging, compliance posture, and capacity scaling. You pay per-user or per-feature; the operational surface is theirs.

The vendors worth knowing about:

• Files.com — broadest protocol support (SFTP, FTP, FTPS, WebDAV, AS2), strongest compliance posture (SOC 2 Type II, HIPAA-BAA, GDPR), REST API + SDKs in 8 languages.
• SFTP To Go — minimal, focused, cheaper than Files.com for small teams that only need SFTP and don't need the broader feature set.
• SFTPCloud — similar focused-SFTP positioning.

The trade you make with hosted SFTP: less control over the underlying infrastructure (you can't tune the exact cipher suite, can't run on dedicated hardware unless you pay for it), in exchange for everything else being someone else's problem.

When self-hosted is the right call

Three scenarios where running your own SFTP server is genuinely the better answer:

• Air-gapped or sovereign-cloud deployments. Regulated industries, government workloads, healthcare data residency requirements that prohibit multi-tenant cloud. Self-host inside your boundary.
• Existing infrastructure with capacity to absorb it. If your team is already running compliant Linux fleet management, audit-log aggregation, and key-rotation tooling, adding SFTP is incremental rather than a new operational category.
• Truly cost-sensitive small workloads. One internal team, two partners, no compliance requirements. OpenSSH + a $20/month VM is genuinely the cheapest option.

For everything else, hosted is usually the better path once you count the real cost of self-hosting.

When hosted is the right call

The cases where buying makes sense:

• You don't have dedicated infrastructure engineering capacity. A 5-person team running an SFTP server alongside the rest of the product is a wrong-mix; the operational variance burns the team's capacity.
• You need multiple protocols on the same backend. Hosted platforms typically expose SFTP, FTPS, FTP, and WebDAV on the same files. Self-hosting all four is real work.
• You have partners across multiple protocols. Partner A wants SFTP, Partner B wants AS2, Partner C wants HTTPS share links. A managed platform handles all of them; self-hosting means stitching together multiple servers.
• Your compliance program covers fewer surfaces. SOC 2 / HIPAA / PCI scope reduction is real value — the SFTP server's compliance posture is the vendor's responsibility, not yours.
• You need it tomorrow. Hosted SFTP provisions in minutes; self-hosted SFTP is days to weeks to get production-ready.

The modern way

Files.com is the File Orchestration Platform we'd recommend for hosted SFTP in 2026. The platform:

• Exposes SFTP on port 22 on a subdomain Files.com provisions, with native SSH key authentication and per-user credentials.
• Adds FTPS, FTP, WebDAV, AS2 on the same backend storage. Partners pick whichever protocol they prefer.
• Per-file, per-user audit logging. Immutable trail; drops into SOC 2 / HIPAA evidence collection.
• SOC 2 Type II, HIPAA-BAA, GDPR-ready out of the box.
• REST API + SDKs in 8 languages for automation that wants to skip the SFTP client entirely.
• MFA, SSO with SAML/SCIM, IP allowlisting for enterprise security posture.

Start a free Files.com trial — no credit card, provisioned in about 10 minutes.

For teams that must run SFTP infrastructure inside their own datacenter, the free ExaVault on-premise appliance ships an SFTP server (plus FTP, FTPS, WebDAV) as a self-hosted VM image — pre-configured with the operational surface managed by the vendor.

FAQ

What is an SFTP server?

An SFTP server is software that listens on TCP port 22 for incoming SSH File Transfer Protocol connections, authenticates users, and exchanges files over an encrypted SSH session. Examples include OpenSSH's sftp-server subsystem (free, default on Linux/macOS), ProFTPD with mod_sftp (free, multi-protocol), and commercial options like Cerberus and Globalscape EFT (paid, Windows-focused).

What's the difference between SFTP and FTP servers?

An SFTP server speaks the SSH File Transfer Protocol on port 22 — encrypted by default, single-channel, supports SSH key auth. An FTP server speaks the original File Transfer Protocol on port 21 — cleartext by default, dual-channel, password-only auth. They're different protocols; a client built for one cannot connect to the other.

How do I set up an SFTP server?

On Linux, the SFTP server is already there — OpenSSH ships with sftp-server enabled by default in modern distributions. Connect with any SFTP client on port 22 using a regular Unix user account; it just works. For configuration (chroot, virtual users, transfer logging), edit /etc/ssh/sshd_config and consult the sshd_config(5) man page.

For multi-protocol shops (SFTP + FTPS + FTP), install ProFTPD with mod_sftp and configure all three protocols in one daemon.

What's "SFTP as a service"?

Hosted SFTP — a vendor runs the SFTP server, you get an endpoint and credentials. The vendor handles patching, availability, audit logging, compliance posture, and capacity scaling. The trade is less control over the underlying infrastructure in exchange for less operational overhead. See Files.com for one example.

What's the difference between hosted SFTP and SFTP hosting?

In practice, the same thing — both refer to a vendor-managed SFTP service you pay for instead of running yourself. "Hosting" sometimes implies the vendor provides a dedicated VM or container you connect to; "as a service" implies a fully-managed multi-tenant platform. The line is blurry.

Is OpenSSH SFTP secure for production?

Yes — OpenSSH's sftp-server is one of the most-audited pieces of network software on the internet, with a remarkably clean security track record. The risk in self-hosted SFTP isn't usually the protocol layer; it's the operational layer (user management, audit logging, key rotation, compliance evidence). OpenSSH handles the protocol; you handle the rest.

What's the difference between SFTP and FTPS for business use?

SFTP runs over SSH on a single port and supports key auth; it's the modern default. FTPS is FTP wrapped in TLS, dual-channel, password-only auth — useful when partners can speak FTP but not SSH. For new deployments, SFTP. For partner compatibility, FTPS. Managed platforms typically support both.