Both SFTP and FTPS encrypt your FTP transfers. Both have an "S" in the name. They're frequently confused with each other — and that confusion matters, because they are completely different technologies that work in completely different ways.
Choosing the wrong one when setting up a connection will result in a failed connection. Choosing the right one requires understanding what each actually is. Here's the clear explanation.
FTP: the baseline
Before getting to the secure variants, it helps to understand plain FTP. The File Transfer Protocol was designed in the early 1970s — long before the internet looked anything like it does today. It has no encryption whatsoever. Credentials (your username and password) travel in plaintext over the network. So does the content of your files.
FTP is still widely used on internal networks where traffic never leaves a trusted environment, on legacy hosting setups, or in controlled situations where encryption isn't a concern. It's simple, it works, and it's supported by virtually every server. But over the public internet, sending credentials in plaintext is not something you want to do.
That's where the two secure variants come in — and where people start getting confused.
SFTP (SSH File Transfer Protocol)
Despite the name, SFTP is not FTP with security added. It's a completely different protocol, developed independently as part of the SSH (Secure Shell) protocol suite.
SFTP runs over SSH on port 22. Everything — authentication, commands, file contents — is encrypted by the SSH layer. An SFTP client and a standard FTP client are speaking fundamentally different protocols, even if the end result (transferring files) looks the same to the user.
Key characteristics of SFTP:
- Runs over SSH. If a server has SSH enabled, it almost certainly has SFTP available too — no separate setup required.
- Single port (22). All communication happens on one port, which makes firewall configuration straightforward.
- Key-based authentication. Instead of a password, you can authenticate with an SSH key pair. The private key never leaves your machine; the server only stores the public key. This is significantly more secure than password authentication.
- Encrypted end-to-end. Credentials and file contents are always encrypted, regardless of what network you're on.
- No TLS certificates needed. Authentication is handled by SSH keys or passwords over SSH — no certificate authority, no certificate renewal.
FTPS (FTP over TLS)
FTPS is actual FTP with TLS encryption added on top. It's a different approach: take the existing FTP protocol and wrap the connection in TLS, the same encryption layer used by HTTPS.
There are two modes of FTPS:
Explicit FTPS (FTPES)
The client connects to the server on port 21 (the standard FTP port) and immediately sends an AUTH TLS command to upgrade the connection to encrypted. The server must support this command. This mode is called "explicit" because the client explicitly requests the TLS upgrade.
Implicit FTPS
The client connects to port 990 and the TLS handshake happens immediately — before any FTP communication. There's no unencrypted phase. This mode is less common but still used on some servers.
Key characteristics of FTPS:
- Based on FTP. Same command set, same passive/active mode considerations, same multi-port behavior for data transfers.
- Requires a TLS certificate. The server needs a valid SSL/TLS certificate, which needs to be renewed periodically.
- Firewall complexity. FTP in passive mode opens a range of dynamic data ports. Firewalls need to understand FTP to inspect these connections properly (this is called FTP-aware firewall inspection). With TLS encryption, the firewall can't inspect FTP traffic, which can complicate passive mode.
- Password-based only. FTPS doesn't support key-based authentication — you authenticate with a username and password (which is, however, encrypted by TLS).
- High compatibility. Many corporate and hosting environments offer FTPS because it's a direct upgrade path from an existing FTP setup.
Side-by-side comparison
| Feature | FTP | SFTP | FTPS |
|---|---|---|---|
| Based on | FTP | SSH | FTP + TLS |
| Default port | 21 | 22 | 21 (explicit) / 990 (implicit) |
| Encryption | None | Always (SSH) | Yes (TLS) |
| Key-based auth | No | Yes | No |
| Certificate needed | No | No | Yes |
| Firewall-friendly | Complex | Simple (1 port) | Complex |
| Server availability | Universal | Any SSH server | Requires setup |
Which should you use?
Use SFTP if: you control the server (or it's a Linux/Unix server with SSH), security is a priority, and you want simple firewall configuration. SFTP is the modern standard. If there's no particular reason to use anything else, SFTP is the right default.
Use FTPS if: your hosting provider or a client's server requires it, or you're adding encryption to an existing FTP setup and can't change the infrastructure. Many corporate environments that have operated FTP servers for years choose FTPS as the upgrade path because it requires less change to the existing setup.
Use plain FTP if: you're on a trusted internal network where encryption isn't necessary, or you're dealing with a legacy system that doesn't support either secure variant. Avoid it entirely for anything over the public internet.
FTPSuite supports all three
FTPull (for automatic downloads) and FTPush (for automatic uploads) both handle FTP, SFTP, and FTPS natively. Selecting the protocol in the connection settings takes one click — the app handles the underlying differences automatically. You enter the host, port, credentials, and protocol; the rest is handled for you.
If you're not sure which protocol your server uses, see our guide: FTP, SFTP, and FTPS: Which Protocol Does Your Server Use?