FTP is a file transfer protocol that does not include any options for encrypting data in transit. It was originally designed for use in private scientific and research networks and is based on a specification defined in 1985 by the Internet Engineering Task Force in RFC 959. FTP uses two connections to send data. Authentication data (e.g., usernames and passwords) is exchanged on a command channel. Data files are sent on a separate channel that is established after the authentication is complete.
Secure FTP is a broad term that refers to two different technologies that can encrypt both authentication information and data files in transit.
- FTPS refers to secure FTP that uses SSL or TLS for encryption. FTPS is very similar to FTP and uses extensions to FTP that add support for the Transport Layer Security (TLS RFC 4217) and Secure Socket Layer (SSL RFC 2228) protocols. Like FTP, FTPS uses two connections – a command channel and a data channel. You can choose whether to encrypt both connections or only the data channel.
- SFTP refers to the use of Secure Shell or SSH network protocol to exchange data over a secure channel. Unlike FTP and FTPS, the SFTP protocol is only a draft specification, which can cause small incompatibilities between SFTP client and server implementations. SFTP uses only one connection and encrypts both authentication information and data files being transferred.
Secure FTP protocols protect data only while it is being transmitted. Once data files have been written to a secure FTP server, the data is no longer protected unless the files were encrypted before transmission. A typical scenario is to encrypt files using a tool like PGP and then transmit using either SFTP or FTPS. Diplomat OpenPGP Community Edition is a free tool to PGP-encrypt files.
If you are currently using secure FTP protocols or are considering it for the future, drop us an email to firstname.lastname@example.org or call 781.210.3310 x1.