Migrate to/from SFTP Servers (SSH-Based File Transfer)

What is SFTP?

SFTP — the SSH File Transfer Protocol — is the modern, secure replacement for FTP. Despite the similar name, it's a completely different protocol: SFTP runs over an SSH session on port 22, with the entire data exchange (control commands and file content) encrypted using the same algorithms that protect SSH terminal sessions — typically AES-128 / AES-256, with HMAC-SHA-2 message authentication and Diffie-Hellman key exchange. The current protocol version is SFTP version 6, introduced with SSH-2. Where FTP requires multiple ports (21 for control, 20 or a passive range for data) and exposes credentials in plaintext, SFTP needs only port 22 and never sends a password in the clear.

Where SFTP shines is in server-side scenarios — Linux VPS deployments, managed file-transfer between business partners, scientific data pipelines, IoT device telemetry uploads, and any context where SSH access already exists. Setting up an SFTP server is often as simple as enabling the OpenSSH daemon (already on every Linux machine), creating a user, and optionally chrooting that user to a specific directory via the internal-sftp subsystem. CloudsLinker bridges these SSH-secured endpoints to commercial cloud storage: connect any SFTP server with host + credentials + port + (optional) SSH private key, then run scheduled migrations to Google Drive, OneDrive, S3, Wasabi, B2, or any of 140+ destinations.

Key features of SFTP

Single port (22) — firewall-friendly

SFTP uses only port 22 for both authentication and data — no separate data channel like FTP, no passive port range to configure. The single-port design works through corporate NAT/firewalls with minimal config.

AES-encrypted in transit

Entire SFTP session encrypted via SSH — typically AES-128 or AES-256 with HMAC-SHA-2 message integrity. Modern OpenSSH 8+ negotiates curve25519 key exchange and chacha20-poly1305 by default.

Key-based vs password authentication

SSH keys are stronger than passwords (eliminates brute-force risk). Best practice combines SSH key + passphrase. CloudsLinker supports both auth methods.

SFTP ≠ FTP / FTPS

Despite the similar name, SFTP is a completely different protocol from FTP. SFTP runs over SSH (port 22). FTPS is FTP wrapped in TLS (port 21 or 990). They share no implementation details.

Resume interrupted transfers

SFTP version 6 supports resuming interrupted transfers — failed uploads pick up from the last successful byte. CloudsLinker uses this for resilient multi-GB transfers over slow links.

Chroot jails for multi-user setups

OpenSSH's <code>internal-sftp</code> subsystem with <code>ChrootDirectory</code> directive locks SFTP users to specific folders without granting shell access. Standard practice for managed-file-transfer setups.

Why connect SFTP to CloudsLinker

CloudsLinker connects to SFTP servers using standard parameters: hostname, username, password (or SSH private key for key-based auth), port (default 22), and optional initial path. The connector negotiates the strongest mutually-supported encryption suite (typically AES-256-GCM with curve25519 key exchange against modern OpenSSH 8+ servers), and supports the resume-interrupted-transfer feature of SFTP version 6. Once connected, transfers run server-to-server: CloudsLinker pulls bytes from the SFTP source over SSH and writes them to the destination cloud over its native API.

What you can do with SFTP on CloudsLinker

SFTP ↔ any cloud bridge

Connect any SFTP / SSH server and migrate to Google Drive, OneDrive, S3, Wasabi or B2 — single-port firewall-friendly, AES-encrypted in transit.

Runs on our servers

SFTP transfers execute on CloudsLinker infrastructure. Useful for slow legacy SSH servers where the migration takes hours — your machine doesn't need to stay online.

Scheduled SSH-based backup

Hourly / daily / weekly schedules. Common for Linux server log rotation, IoT device telemetry, and scientific instrument data ingest into S3.

Filter by path, type, age

Migrate only <code>/var/log/2026</code>, exclude files larger than the destination's cap, or sync only files modified in the last 7 days.

Common SFTP transfer scenarios

Linux server backup: SFTP → S3 / Wasabi / B2

Most Linux VPS servers expose SFTP by default for sysadmin access. Schedule a CloudsLinker nightly backup of /etc, /var/log, and application data folders from your server's SFTP to Wasabi ($6.99/TB) or B2 ($6/TB). Replaces ad-hoc rsync cron jobs with proper scheduling, delta sync, and cross-cloud destination flexibility.

Managed file transfer (MFT) between business partners → Google Drive shared folder

Many B2B partners exchange files via SFTP drops. CloudsLinker watches the inbound SFTP folder and copies new files to a Google Drive shared folder where the receiving team works — modernizing a legacy SFTP-based workflow without changing the partner's process.

Scientific instrument telemetry: SFTP → BigQuery via GCS

Lab instruments and research equipment often export data via SFTP. CloudsLinker schedules ingest from the instrument's SFTP into a Google Cloud Storage bucket where BigQuery reads it for analytics — bridging legacy on-prem science to modern cloud analytics pipelines.

IoT device backup: SFTP → S3 immutable backup

IoT gateways, embedded Linux devices, and edge servers often only support SFTP for outbound data. CloudsLinker schedules collection from these endpoints into S3 with Object Lock for immutable retention — meeting compliance requirements for IoT data lineage.

Plex / Jellyfin home media pipeline: Put.io → SFTP → home NAS

Media-server users wire Put.io (cloud torrent downloader) → CloudsLinker SFTP push → home NAS. CloudsLinker connects Put.io via OAuth as source and the home NAS via SFTP as destination — completed downloads land in the media folder automatically.

How to connect SFTP to CloudsLinker

SFTP uses server parameters: hostname, username, password (or SSH private key), port (default 22), and optional initial path.

Before you start

Gather the connection details:

Hostname (e.g. sftp.example.org or an IP address)
Username — preferably a dedicated service account, not a real human user
Authentication method: SSH private key (recommended) or password
Port (default 22; some servers run SFTP on non-standard ports for security through obscurity)
Initial path (optional — scope the connection to a specific directory)

For SSH key authentication: generate a dedicated key pair (ssh-keygen -t ed25519 -f cloudslinker_key), add the public key to the server’s ~/.ssh/authorized_keys, and paste the private key into CloudsLinker. Keep the key passphrase-protected for defense in depth.

Connection steps

In CloudsLinker, click Add Cloud → choose SFTP.
Enter a display name (e.g. “Linux VPS — backup”).
Enter the hostname and port (default 22).
Enter the username.
Choose authentication:
- Password: enter the user’s SSH password.
- SSH private key (recommended): paste the contents of your private key file (typically ~/.ssh/cloudslinker_key).
(Optional) Enter an initial path to scope the connection (e.g. /home/backup/data).
Click Confirm — CloudsLinker establishes the SSH session, validates SFTP, and shows the connection ready.

Server-side hardening

For production SFTP-only setups, configure OpenSSH with:

Subsystem sftp internal-sftp (use the in-process SFTP subsystem, not the external one)
Match Group sftpusers block with ChrootDirectory, ForceCommand internal-sftp, AllowTCPForwarding no, X11Forwarding no
Disable password authentication entirely if all users have SSH keys: PasswordAuthentication no
Add fail2ban or similar to block brute-force attempts on port 22

Revoke access

Two paths to revoke CloudsLinker’s SFTP access:

Password auth: change the user’s password on the server.
SSH key auth: remove the CloudsLinker public key from ~/.ssh/authorized_keys on the server.

Either action invalidates CloudsLinker’s connection immediately.

SFTP upload & download limits you should know

SFTP is a protocol, not a service — limits depend entirely on the SFTP server you’re connecting to:

Default port: 22 (SSH).
Encryption: AES-128 / AES-256 with HMAC-SHA-2; modern OpenSSH defaults to chacha20-poly1305 and curve25519 key exchange.
Maximum file size: no protocol-level cap. Practical limit: server filesystem (16 TiB+ per file on ext4/Btrfs).
Resume interrupted transfers: supported in SFTP version 6 (the current version since SSH-2).
Authentication: username + password, SSH private key, or both (key + password = strongest).
Single port: no separate data channel like FTP — friendly to NAT / firewalls.
Bandwidth: server-side configurable; no protocol-level cap. CPU encryption overhead can bottleneck on older hardware.
Concurrent connections: server-side configurable (typically 5–50 simultaneous SSH sessions per user).
Compatible with: OpenSSH (most Linux servers), Bitvise SSH Server, Cerberus FTP Server, JSCAPE MFT, Couchdrop, AWS Transfer Family, Azure Storage SFTP, and any RFC-compliant SFTP server.
Chroot jails: OpenSSH internal-sftp subsystem locks users to specific directories without shell access.
No SFTP-specific encryption-at-rest: SFTP encrypts in transit only. For at-rest encryption, use full-disk encryption on the server.

Sources: Wikipedia: SSH File Transfer Protocol, SolarWinds: SSH File Transfer Protocol glossary, Fortra: SSH keys vs passwords for SFTP, ArchWiki: SFTP chroot setup.

SFTP + CloudsLinker — Frequently Asked Questions

Is SFTP the same as FTP or FTPS?

No. Despite the similar name, SFTP is a completely different protocol. SFTP runs over SSH on port 22, single port, encrypted by design. FTP is the original 1971 protocol, plaintext, port 21. FTPS is FTP wrapped in TLS, port 21 or 990, multi-port. CloudsLinker has separate connectors for SFTP and FTP/FTPS — choose based on what your server actually exposes.

Should I use SSH keys or passwords?

SSH keys are strongly preferred for production migrations. Eliminates brute-force attack risk, doesn't require typing the password into the connection setup, and many big companies (GitLab, GitHub, AWS) recommend SSH keys with a passphrase for defense in depth. Generate a dedicated SSH key for CloudsLinker, add the public key to ~/.ssh/authorized_keys on the server, and paste the private key into CloudsLinker.

What's the maximum file size SFTP can transfer?

SFTP itself imposes no protocol-level cap. Practical limits come from: (1) server filesystem (ext4 / Btrfs / ZFS — typically 16 TiB+ per file), (2) destination cloud's per-file cap (e.g. OneDrive 250 GB, S3 5 TB), (3) SSH session timeout for very long transfers (CloudsLinker auto-resumes via SFTPv6 resume support).

What encryption does SFTP use?

SFTP runs over SSH, which negotiates the strongest mutually-supported cipher. Modern OpenSSH 8+ defaults to [email protected] and [email protected] with curve25519-sha256 key exchange. Older servers fall back to AES-128-CBC or 3DES — still encrypted but slower / weaker.

Are my SSH credentials safe with CloudsLinker?

Username and password (or SSH private key) are encrypted at rest with AES-256 and decrypted only inside the active transfer worker. Best practice: create a dedicated server user account scoped to specific directories (chroot via internal-sftp subsystem), use SSH key auth instead of passwords, and rotate the key periodically.

How do I set up a chrooted SFTP user?

On the SFTP server, edit /etc/ssh/sshd_config: comment out the existing Subsystem sftp line, add Subsystem sftp internal-sftp, then add a Match block: Match Group sftpusers, ChrootDirectory /home/sftp/%u, ForceCommand internal-sftp, AllowTCPForwarding no, X11Forwarding no. Reload sshd. The user is now locked to their chroot directory with no shell access — only SFTP.

Does CloudsLinker work with SFTP servers behind a corporate VPN?

CloudsLinker's transfer infrastructure runs on the public internet. To reach an SFTP server behind a corporate VPN, expose it via port forwarding with strong access controls (SSH key auth + IP allowlist), or set up a bastion host. For air-gapped servers, CloudsLinker is not directly usable.

Can CloudsLinker schedule recurring SFTP transfers?

Yes. Set hourly / daily / weekly schedules with delta sync. Useful for daily log archival, IoT data ingest, scientific instrument exports, or MFT-style B2B file pickup from partner SFTP drops.

How fast can CloudsLinker pull from an SFTP server?

Throughput depends on (1) the server's CPU (SSH encryption overhead), (2) network path between CloudsLinker and the server, (3) destination cloud's ingress speed. Typical sustained throughput is 100–800 GB/day per SFTP connection. Modern servers with AES-NI hardware acceleration approach line rate; older boxes bottleneck on encryption.

Is CloudsLinker an official partner of any SFTP server vendor?

No — SFTP is an open standard (RFC drafts since 2001), not a vendor product. CloudsLinker uses standard SFTP and works with OpenSSH (most Linux servers), Bitvise SSH Server, Cerberus FTP Server, JSCAPE MFT, Couchdrop, AWS Transfer Family, and any RFC-compliant SFTP server.

SFTP transfer guides

Step-by-step walkthroughs for moving data to and from SFTP.

How to Transfer iCloud Photos to an FTP/SFTP Server: Three Methods That Actually Work

Want to get your iCloud Photos library onto your own FTP or SFTP server? This guide covers three real approaches—browser download and FTP …

Backup Google Photos to FTP/SFTP: Easy & Secure Guide

Learn how to securely and efficiently back up your Google Photos to FTP or SFTP servers. This guide provides detailed instructions to ensure …

From FTP/SFTP to SharePoint: Transferring Files Without Local Downloads

Still relying on FTP or SFTP servers for daily file transfers? This guide explains why many teams are moving from traditional file servers …

Move Smarter: Migrating from FTP/SFTP to Zoho WorkDrive

A practical guide to moving files from FTP or SFTP into Zoho WorkDrive — helping you upgrade from legacy hosting to a modern, secure, and …

PikPak to FTP/SFTP: Effortless File Migration

A straightforward, step-by-step guide to migrating your data from PikPak to an FTP/SFTP server — secure, efficient, and designed for peace …

Conclusion

SFTP is the secure default for any server-side file transfer in 2026 — single port, AES-encrypted, key-auth-friendly. CloudsLinker bridges SFTP endpoints to commercial cloud storage with delta sync, resume-on-failure, and chroot-jail compatibility. Connect with host + credentials (or SSH key) + port and start moving Linux server data, IoT telemetry, or B2B file drops to S3 / Google Drive / OneDrive in minutes.

Start Your Free SFTP Transfer