Every deployment ultimately comes down to transferring files from one machine to another. Whether you're pushing code to a server, syncing assets to a staging environment, or downloading backups, you need a secure file transfer method. The three most common options — SFTP, SCP, and rsync — all use SSH for encryption, but they work very differently under the hood.
This guide compares all three with practical examples and helps you choose the right one for your deployment workflow.
Quick Comparison
| Feature | SFTP | SCP | rsync |
|---|---|---|---|
| Protocol | SSH File Transfer Protocol | Secure Copy (over SSH) | Remote sync (over SSH) |
| Transfer type | Full file transfer | Full file transfer | Delta transfer (only changes) |
| Resume interrupted transfers | Yes | No | Yes |
| Directory listing | Yes | No | Yes |
| Interactive mode | Yes (like FTP) | No (command-line only) | No (command-line only) |
| Bandwidth efficiency | Moderate | Moderate | Excellent (delta algorithm) |
| Status in 2025 | Active, recommended | Deprecated in OpenSSH 9.0 | Active, recommended |
| Best for | General file management | Legacy one-off copies | Incremental deployments |
SFTP: SSH File Transfer Protocol
SFTP is the modern standard for secure file transfer. Despite the name, it has nothing to do with FTP — it's a completely separate protocol that runs over SSH.
How It Works
SFTP establishes an SSH connection and then provides a file transfer subsystem on top of it. You get a full set of file operations: upload, download, rename, delete, list directories, change permissions.
Command Examples
Upload a file:
sftp user@server.example.com
sftp> put index.html /var/www/html/
sftp> exit
Non-interactive upload:
sftp user@server.example.com <<EOF
put -r dist/ /var/www/html/
EOF
Upload with a specific SSH key:
sftp -i ~/.ssh/deploy_key user@server.example.com
Download a directory recursively:
sftp user@server.example.com
sftp> get -r /var/www/html/backups/ ./local-backups/
When to Use SFTP
- General-purpose file management on remote servers
- Interactive file browsing and operations
- When you need resume support for large transfers
- As a replacement for FTP (which is insecure)
- Automated deployments via tools like DeployHQ
SCP: Secure Copy Protocol
SCP is the simplest file transfer method — it copies files over SSH with a single command. However, OpenSSH deprecated the SCP protocol in version 9.0 (released April 2022) in favor of SFTP.
The Deprecation
Modern scp commands actually use SFTP internally by default (since OpenSSH 9.0). The scp command still exists for backward compatibility, but the underlying protocol is now SFTP. You can force the legacy SCP protocol with -O, but there's rarely a reason to.
Command Examples
Copy a file to a remote server:
scp index.html user@server.example.com:/var/www/html/
Copy a directory recursively:
scp -r dist/ user@server.example.com:/var/www/html/
Copy with a specific SSH key:
scp -i ~/.ssh/deploy_key -r dist/ user@server.example.com:/var/www/html/
Download from remote:
scp user@server.example.com:/var/www/html/backup.tar.gz ./
When to Use SCP
- Quick one-off file copies where you don't need interactivity
- Legacy scripts that already use
scp(they'll use SFTP under the hood now) - Simple transfers where rsync's features aren't needed
rsync: The Delta Transfer Tool
rsync is the most powerful of the three. Its killer feature is the delta transfer algorithm — it compares files on both sides and only transfers the differences. For deployments where most files haven't changed, this is dramatically faster than copying everything.
How It Works
flowchart LR A[Local files] --> B[rsync compares checksums] C[Remote files] --> B B --> D[Transfer only changed bytes] D --> E[Updated remote files]
rsync splits each file into blocks, computes checksums, and sends only the blocks that differ. A 10 MB file with a one-line change might only transfer a few kilobytes.
Command Examples
Sync a directory to a remote server:
rsync -avz dist/ user@server.example.com:/var/www/html/
Flags explained:
-a(archive): preserves permissions, timestamps, symlinks, ownership-v(verbose): shows progress-z(compress): compresses data during transfer
Sync with delete (remove files on remote that don't exist locally):
rsync -avz --delete dist/ user@server.example.com:/var/www/html/
Dry run (see what would change without actually transferring):
rsync -avzn --delete dist/ user@server.example.com:/var/www/html/
Exclude files:
rsync -avz --exclude='node_modules' --exclude='.env' \
./ user@server.example.com:/var/www/html/
Use a specific SSH key:
rsync -avz -e "ssh -i ~/.ssh/deploy_key" \
dist/ user@server.example.com:/var/www/html/
When to Use rsync
- Deployments with large codebases where most files don't change
- Syncing directories that change incrementally
- Backups (only transfer what changed since last backup)
- Any transfer where bandwidth is limited or expensive
Performance Comparison
For a project with 1,000 files (50 MB total) where 10 files changed since the last deploy:
| Method | First deploy | Subsequent deploys |
|---|---|---|
| SFTP | ~50 MB transferred | ~50 MB transferred |
| SCP | ~50 MB transferred | ~50 MB transferred |
| rsync | ~50 MB transferred | ~500 KB transferred |
rsync's advantage grows with project size. For a 500 MB project with small daily changes, rsync saves massive bandwidth and time.
Security Considerations
All three methods use SSH for encryption. The security fundamentals are the same:
- Authentication: Use SSH key pairs instead of passwords
- Port: Default is 22 — consider changing it to reduce automated scanning
- Key management: Use dedicated deploy keys with restricted permissions
- Firewall: Allow SSH only from known IP addresses
Deploy Key Best Practice
Create a dedicated key pair for deployments:
ssh-keygen -t ed25519 -f ~/.ssh/deploy_key -C "deploy@example.com"
On the server, restrict the key to specific commands in ~/.ssh/authorized_keys:
command="rsync --server --daemon .",no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAA... deploy@example.com
FTP vs SFTP
If you're still using plain FTP, stop. FTP transmits passwords and file contents in plain text — anyone on the network can read them.
| Feature | FTP | SFTP |
|---|---|---|
| Encryption | None (plain text) | SSH encryption |
| Password security | Sent in clear text | Encrypted |
| File integrity | No verification | Checksum verification |
| Firewall friendly | Requires multiple ports | Single port (22) |
| Resume support | Yes | Yes |
There is no reason to use FTP in 2025. If your hosting provider only supports FTP, it's time to switch providers.
How This Relates to Deployment
When you deploy with DeployHQ, you choose your transfer protocol during project setup. DeployHQ supports SFTP, FTP/S, and direct integrations with cloud services like S3 and DigitalOcean.
For server deployments, SFTP is the default and recommended protocol. DeployHQ connects to your server via SSH, compares the files in your Git repository with what's on the server, and transfers only the changed files — similar to how rsync works.
This means:
- First deploy transfers all files
- Subsequent deploys only transfer changed files (fast and bandwidth-efficient)
- Deleted files are removed from the server automatically
- Permissions are preserved during transfer
Whether you push from GitHub or GitLab, DeployHQ handles the file transfer securely. For agencies managing dozens of client servers, having a consistent, secure transfer method across all projects reduces operational risk.
FAQ
Is rsync better than SFTP for deployments? For manual deployments, yes — rsync's delta algorithm is significantly faster for incremental updates. But deployment tools like DeployHQ already implement similar delta logic over SFTP, so you get the speed benefit without writing rsync commands.
Can I use rsync with a non-standard SSH port?
Yes: rsync -avz -e "ssh -p 2222" src/ user@server:/dest/
Does SFTP support file permissions? Yes. SFTP can set permissions, ownership, and timestamps on remote files, similar to rsync's archive mode.
Is SCP really deprecated?
The SCP protocol is deprecated, but the scp command still works — it just uses SFTP internally now. Your existing scripts won't break, but there's no reason to write new ones using scp when sftp or rsync do everything better.
Which protocol does DeployHQ use? DeployHQ supports SFTP (recommended), FTP/S, and various cloud provider APIs. SFTP connections use SSH key authentication for maximum security.
For most deployments, SFTP is the safe default. For manual syncing of large directories, rsync saves significant time and bandwidth. And for everything else, let your deployment tool handle the transfer protocol for you.
Try DeployHQ free — deploy via SFTP with automatic delta transfers on every push. See pricing for team plans.
Questions? Reach out at support@deployhq.com or @deployhq.