How to securely copy files between Linux hosts using SCP and SFTP
Recently, we looked at the
rsync command for syncing files between locations, and we discussed the similarity of usage and syntax when duplicating files and directories with the
cp command. In that article, we looked at moving the bits back and forth on the same box, between filesystems, or between devices. In an upcoming article, we'll look more at
rsync as a tool to keep remote filesystems in sync with a local or backup version. In this article, I want to take a look at one of the most useful and used tools in the Linux sysadmin toolbox—the
What is SCP?
Secure Copy, or
scp, is a secure version of the older
rcp tool (which is still used, but less common) included in the OpenSSH suite of tools.
OpenSSH started as a BSD fork of the original SSH secure communications protocol, which has since become re-licensed as "non-free" and thus not generally available for Linux. OpenSSH is still maintained under the BSD license and is available for a wide range of platforms. It includes several common tools for secure remote access, including key generation,
sftp (a secure version of FTP, which we'll get to in a bit).
Recently, OpenSSH developers have indicated that they consider
scp to be deprecated (they believe it is "Outdated, inflexible and not easily fixed"). It is unclear when it will cease to be available in future releases of OpenSSH, though it's hard to imagine that it will be dropped anytime soon.
The usefulness of
scp lies in its simplicity. I use it to quickly move files to a remote filesystem from the shell:
skipworthy ~ scp ./enable/foo/testfoo showme:/home/skipworthy/enable skipworthy@showme's password: testfoo 100% 25 8.0KB/s 00:00
Easy as pie. I can get a file from a remote location, too:
skipworthy ~ scp showme:/home/skipworthy/enable/demofoo ~/enable/ skipworthy@showme's password: demofoo 100% 0 0.0KB/s 00:00 skipworthy ~ ls ./enable bar demofoo foo
The available connection options are the same as with
ssh. For example:
skipworthy ~ scp -P 2020 -i ~/.ssh/id_rsa ./test.txt showme:/home/skipworthy/enable/ test.txt 100% 0 0.0KB/s 00:00
-P specifies the port for the
-i specifies an
ssh id key to use for authentication: Both these options are useful for scripts. Note that the
scp -P differs from the
ssh -p for specifying the port. In the example above, I set the location of an
ssh key (
~/.ssh/id_rsa)—which I also generated using the OpenSSH toolkit—to authenticate access to the remote device. Learn about SSH file copies here.
So you can see
scp is a really useful tool to have at your fingertips. There is some discussion of the wisdom of using this tool in a secure environment, so YMMV. I'd suggest doing some reading and deciding for yourself.
[ You might also like: Sysadmin tools: Using rsync to manage backup, restore, and file synchronization ]
What if, for whatever reason, we can't use
scp? I recommend two other options that are pretty easy to use:
rsync, which we have talked about here and will discuss in more depth in another article, and
sftp. While neither of these options is as convenient as
scp, both have some useful features.
sftp is pretty much what it sounds like: Secure FTP. It acts like FTP over an SSH-managed connection. While it's not as simple to use as the "one and done"
scp command, it offers a range of more sophisticated filesystem options and the ability to connect to a remote filesystem interactively. It does require that the target filesystem be configured for
Let’s connect to an
sftp server interactively:
skipworthy ~ sftp enable@ganymede enable@ganymede's password: Connected to ganymede. sftp> pwd Remote working directory: /upload sftp> mkdir test sftp> ls -al drwxr-xr-x 3 1002 1002 18 Nov 24 21:53 . drwxr-xr-x 3 0 1002 20 Nov 24 21:33 .. drwxr-xr-x 2 1002 1002 6 Nov 24 21:53 test
If we hit Tab twice, we can see a list of commands available at the shell:
sftp> bye cd chdir chgrp chmod chown df dir exit get help lcd lchdir lls lmkdir ln lpwd ls lumask mkdir mget mput progress put pwd quit reget rename reput rm rmdir symlink version ! ?
So you can see it's possible to interact with the remote filesystem. Again, the main disadvantages are the target has to be configured for
sftp access and access to a specific directory has to be configured and limited by the admin of that system. This makes it a more secure, if less convenient, option than
scp. Also, note that while it's not really possible to do impromptu file transfers like
scp, it is possible to write scripts and insert shell aliases to make this work more smoothly if that's your jam.
[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]
Final note: Both these tools rely on the SSH toolbox, which is a very important part of Linux systems administration, so I highly recommend getting comfortable with it. Consider these excellent articles by Enable Sysadmin writers: