SFTP vs. FTPS — these are two main secure ways to transfer files. All businesses opt to use SFTP or FTPS if they are concerned about data security. But what exactly are the differences, and why should you choose one protocol over the other?
Many businesses need to move large volumes of data regularly. To do this, most turn to one of two open, industry-standard protocols.
Both of these protocols have similar-sounding names. The placement of the S in each acronym has a lot to say about where the ‘secure’ part of the protocol comes from. You’re either starting with security as the base or adding it on at the end.
They accomplish the same goal at the end of the day, which is securely transferring your data. However, they are very different under the hood.
FTPS is built as an extension to the standard FTP protocol, which has been around since the 1970s. FTP uses two connections to transfer files — a control connection and a data connection.
Typically, a client would log in and use a series of commands, such as CD, GET, and PUT, to make the server do something. In this case, the commands tell the server to — change directory, get (download) a file, and put (upload) a file. These commands are sent via the control connection, but the actual files are sent via the data connection.
For example, when I need to get a file, my FTP client would issue a command ‘GET file.txt’ on the control connection, then the FTP server would transfer that file to me on the data connection.
With standard FTP, all command and file information is sent in cleartext. FTPS or FTP-SSL simply adds a layer of encryption on top of both the control and data connections. When you first connect to an FTPS server, before sending your username and password, your FTP client will issue a plaintext STARTTLS or AUTH TLS command.
LibNcFTP 3.2.3 (July 23, 2009) compiled for UNIX Remote server is running ProFTPD. 220: ProFTPD Server (EV) [188.8.131.52] Connected to ftptest.exavault.com. Cmd: AUTH TLS 234: AUTH TLS successful Cmd: USER ftptest 331: Password required for ftptest Cmd: PASS xxxxxxxxxxxx 230: User ftptest logged in Cmd: TYPE A 200: Type set to A Logged in to ftptest.exavault.com as ftptest.
This command then tells the FTPS server the connection should be encrypted. From then on, everything is the same — your FTP client still uses commands like CD, GET and PUT — but both the contents of those commands (the command channel) and the data transfer (the data channel) are encrypted.
SFTP, on the other hand, is built on top of the SSH protocol, which was designed from the beginning to be a secure way to establish a connection between two computers.
When you connect with SFTP, your client initiates an SSH connection to the remote server, negotiates a series of secure handshakes, and then opens a secure tunnel to the remote server. SFTP uses that tunnel to communicate with the remote server. It tells the SFTP server to do things, such as upload or download a file. The data and commands are sent over the same secure channel.
user@Atlantis ~ % sftp firstname.lastname@example.org email@example.com's password: Connected to ftptest.exavault.com. sftp>
If you ask us, the answer is SFTP.
First, the connection established with SFTP is built on a secure protocol from the beginning. Unlike FTPS, which connects via a plaintext connection then uses the STARTTLS command, SFTP operates over a secure channel from the very first part of the connection process.
Second, being built on a secure protocol means that additional security features can be built-in. For example, SFTP supports key-based authentication. FTPS does not. While you can always use a username and password to connect to either protocol, SFTP allows you to use an SSH keypair. SSH keys are a way to securely authenticate without a password. Setting up SSH keys is particularly helpful if you need to do passwordless logins for automated processes.
Third, SFTP uses only one port. Port 22 is typically used for the entire connection. If you have outbound firewall ruses that prevent connections from being made with other servers, you only have to open port 22 for SFTP connections to work.
With FTP or FTPS connections, you have to open both port 21(the control port) plus a range of high ports (with ExaVault, this is port 60000 to 65535) for the data channel. Doing this type of connection creates a greater open port footprint.
Since FTPS is a secure protocol based on standard FTP, there are use cases where it would be an acceptable choice. Usually, this falls under the category of you have to use FTPS.
For example, you will choose FTPS if you’re using software that doesn’t support SFTP. This is the case with many legacy packages, in which case, you’ll definitely want to use FTPS over plain old FTP.
It is important to note that FTPS is no less secure than SFTP. You shouldn’t be concerned if somebody asks you to use it — it’s just that it has fewer capabilities than SFTP.
Both protocols are secure, but SFTP gives you more flexibility.
While we recommend SFTP, FTPS is still a secure protocol for file transfer and great to use if you have a specific requirement to use FTPS.