FTP vs SFTP vs FTPS: Which Protocol Should You Use?
Compare FTP, SFTP, and FTPS protocols. Understand the security implications, ports, firewall behavior, and use cases so you can choose the right one.
If you move files between systems, you've run into three acronyms that look almost identical but behave very differently: FTP, SFTP, and FTPS. Choosing the wrong one leads to firewall headaches, failed automations, or — worse — unencrypted data on the wire. Here's how they actually differ.
FTP: the original, now unencrypted
Plain FTP (File Transfer Protocol) dates to the 1970s. It uses a control connection on port 21 and a separate data connection for each transfer. Its fatal flaw today: everything, including your password, travels in clear text. Plain FTP is fine inside a trusted, isolated network, but it should never carry sensitive data across the public internet.
FTPS: FTP wrapped in TLS
FTPS (FTP Secure) is plain FTP with a TLS layer added — the same encryption that secures HTTPS. Two flavors exist:
- Explicit FTPS (
AUTH TLS): Connects on the normal port 21, then upgrades to TLS. This is the recommended mode. - Implicit FTPS: Assumes TLS from the first byte, traditionally on port 990.
FTPS keeps the FTP command set and directory model your existing clients and scripts already understand, while encrypting both the control and data channels. The one operational wrinkle is passive-mode port ranges: because the data connection uses a separate port, firewalls must allow a configured passive range.
SFTP: a different protocol entirely
Despite the name, SFTP (SSH File Transfer Protocol) is not FTP with security bolted on — it's a completely separate protocol that runs over SSH, typically on port 22. Because it uses a single connection, it's generally easier on firewalls than FTP/FTPS. It's the default in many Unix and DevOps environments thanks to SSH key authentication.
Side-by-side
| FTP | FTPS | SFTP | |
|---|---|---|---|
| Encryption | None | TLS | SSH |
| Default port | 21 | 21 (explicit) / 990 | 22 |
| Connections | Control + data | Control + data | Single |
| Firewall friendliness | Poor | Moderate (passive range) | Good |
| Auth | Password | Password + TLS certs | Password or SSH keys |
| Based on | FTP | FTP | SSH |
Which should you use?
- Never use plain FTP across untrusted networks.
- Choose FTPS when partners, legacy systems, or existing FTP tooling expect the FTP command model and you want TLS encryption with minimal change. This is what TrueFTP uses — FTP over explicit TLS.
- Choose SFTP when you live in an SSH-centric environment and want key-based auth and single-port simplicity.
Where TrueFTP fits
TrueFTP delivers managed FTP over explicit TLS (FTPS), so your existing FileZilla, WinSCP, Cyberduck, and scripted clients connect securely with only a host and credential change — backed by S3 storage, version history, and a full audit trail. If your workflow specifically requires SSH-based SFTP, get in touch about enterprise options.
Ready to try it? Start a free trial and connect your first client in minutes.