RED HAT ENTERPRISE LINUX

Secure File Transfer

Transferring Files Safely Between Systems

College-Level Course Module | RHEL System Administration

Learning Objectives

Understand secure transfer concepts

Why encryption matters and how SSH protects file transfers

Use scp for secure copying

Copy files and directories between local and remote systems

Use sftp for interactive transfers

Navigate remote filesystems and transfer files interactively

Use rsync for efficient synchronization

Synchronize files efficiently, transferring only differences

Why Secure Transfer?

Secure file transfer encrypts both authentication credentials and data content, preventing eavesdropping and tampering during transmission.

Insecure (FTP, Telnet)

Passwords sent in plain text
File contents visible to attackers
No verification of server identity
Vulnerable to man-in-the-middle

Secure (SSH-based)

All traffic encrypted
Server identity verified
Strong authentication options
Integrity checking included

Client

→

SSH Encryption

→

Server

SSH Foundation

scp, sftp, and rsync all use SSH for secure transport. They inherit SSH authentication, encryption, and configuration.

# All three tools use SSH and share its configuration
# SSH config applies (~/.ssh/config)
[user@host ~]$ cat ~/.ssh/config
Host webserver
    HostName 192.168.1.100
    User admin
    Port 2222
    IdentityFile ~/.ssh/web_key

# Now all tools use these settings:
[user@host ~]$ scp file.txt webserver:/tmp/
[user@host ~]$ sftp webserver
[user@host ~]$ rsync -av data/ webserver:/backup/

# Common SSH options work with scp and sftp:
# -P port    (note: uppercase for scp/sftp)
# -i keyfile (specify identity/key file)
# -o option  (pass SSH options)

Comparing Tools

scp

Best for: Quick, simple copies

Style: Command-line, non-interactive

Features: Basic copy, recursive dirs

Efficiency: Full file transfer each time

sftp

Best for: Interactive browsing

Style: Interactive session

Features: Navigate, list, get, put

Efficiency: Full file transfer each time

rsync

Best for: Sync, backup, large transfers

Style: Command-line, powerful

Features: Delta sync, preserve, resume

Efficiency: Transfers only differences!

Feature	scp	sftp	rsync
Interactive mode	No	Yes	No
Resume interrupted	No	Limited	Yes
Transfer only changes	No	No	Yes
Preserve permissions	Yes (-p)	Yes	Yes (-a)

scp Basics

scp (secure copy) copies files between hosts using SSH. Syntax is similar to cp, with remote locations specified as user@host:path.

scp [options] source destination

Remote format: user@hostname:/path/to/file

# Copy local file TO remote system
[user@local ~]$ scp report.pdf admin@server:/home/admin/
report.pdf                    100%  2.5MB  12.3MB/s   00:00

# Copy remote file TO local system
[user@local ~]$ scp admin@server:/var/log/messages ./server-messages.log

# Copy to/from specific directory
[user@local ~]$ scp config.txt admin@server:/etc/myapp/

# Copy with different remote username
[user@local ~]$ scp file.txt root@192.168.1.100:/tmp/

Remember: The colon : separates host from path. server:file is remote. ./file is local.

scp Options

# Copy directories recursively with -r
[user@local ~]$ scp -r project/ admin@server:/home/admin/backup/
file1.txt                     100%  1024    50.0KB/s   00:00
file2.txt                     100%  2048    98.5KB/s   00:00
subdir/file3.txt              100%   512    25.0KB/s   00:00

# Preserve modification times and permissions with -p
[user@local ~]$ scp -rp project/ admin@server:/backup/

# Use specific SSH port with -P (uppercase!)
[user@local ~]$ scp -P 2222 file.txt admin@server:/tmp/

# Use specific SSH key
[user@local ~]$ scp -i ~/.ssh/mykey file.txt admin@server:/tmp/

# Limit bandwidth (in Kbit/s)
[user@local ~]$ scp -l 1000 largefile.iso admin@server:/data/

# Verbose output for debugging
[user@local ~]$ scp -v file.txt admin@server:/tmp/

Common mistake: Port option is -P (uppercase) for scp, but -p (lowercase) for ssh. Lowercase -p in scp means preserve attributes!

scp Remote to Remote

# Copy between two remote hosts (through local machine)
[user@local ~]$ scp admin@server1:/data/file.txt admin@server2:/backup/

# This routes traffic: server1 -> local -> server2
# Requires authentication to both servers from local machine

# Use -3 to force routing through local (default in newer scp)
[user@local ~]$ scp -3 admin@server1:/data/file.txt admin@server2:/backup/

# Alternative: SSH to server1 and scp from there
[user@local ~]$ ssh admin@server1
[admin@server1 ~]$ scp /data/file.txt admin@server2:/backup/

Network consideration: When copying between remote hosts via your local machine, data travels twice across the network. For large files, SSH directly to one server and scp from there.

sftp Introduction

sftp (SSH File Transfer Protocol) provides an interactive file transfer session. Navigate directories, list files, and transfer interactively - all encrypted over SSH.

# Connect to remote system
[user@local ~]$ sftp admin@server
Connected to server.
sftp>

# You are now in an interactive sftp session
sftp> pwd                   # Show remote working directory
Remote working directory: /home/admin

sftp> lpwd                  # Show LOCAL working directory
Local working directory: /home/user

sftp> ls                    # List remote files
documents  downloads  scripts

sftp> lls                   # List LOCAL files
file1.txt  file2.txt  project/

sftp> help                  # Show available commands

Convention: Commands prefixed with 'l' (lls, lcd, lpwd) operate on the local system. Unprefixed commands operate on the remote system.

sftp Navigation

sftp> cd /var/log           # Change remote directory
sftp> pwd
Remote working directory: /var/log

sftp> ls -la                # Detailed listing (remote)
drwxr-xr-x    2 root     root         4096 Jan 20 10:00 .
drwxr-xr-x   22 root     root         4096 Jan 15 08:30 ..
-rw-r--r--    1 root     root       102400 Jan 20 10:00 messages
-rw-r--r--    1 root     root        51200 Jan 20 09:00 secure

sftp> lcd ~/downloads       # Change LOCAL directory
sftp> lpwd
Local working directory: /home/user/downloads

# Use wildcards
sftp> ls *.log
messages.log  secure.log  boot.log

# Check file size before downloading
sftp> ls -l messages
-rw-r--r--    1 root     root    104857600 Jan 20 10:00 messages

sftp Transfers

# Download file from remote (get)
sftp> get messages
Fetching /var/log/messages to messages
/var/log/messages                     100%  100MB  12.5MB/s   00:08

# Download with different local name
sftp> get messages server-messages.log

# Download multiple files (wildcards)
sftp> mget *.log
Fetching /var/log/messages.log to messages.log
Fetching /var/log/secure.log to secure.log

# Upload file to remote (put)
sftp> put config.txt
Uploading config.txt to /home/admin/config.txt
config.txt                            100%  1024    50.0KB/s   00:00

# Upload multiple files
sftp> mput *.txt

# Download/upload directories recursively
sftp> get -r project/
sftp> put -r backup/

sftp Management

# Create remote directory
sftp> mkdir newdir

# Remove remote file
sftp> rm oldfile.txt

# Remove remote directory
sftp> rmdir emptydir

# Rename remote file
sftp> rename oldname.txt newname.txt

# Change remote file permissions
sftp> chmod 644 config.txt

# Batch mode - commands from file
[user@local ~]$ sftp -b commands.txt admin@server

# Exit sftp session
sftp> exit
# Or: quit, bye, Ctrl+D

File management: sftp is not just for transfers - you can create directories, delete files, change permissions, all within the secure session.

rsync Introduction

rsync efficiently synchronizes files between locations. It transfers only the differences between source and destination, saving time and bandwidth.

rsync [options] source destination

Remote format: user@hostname:/path/to/dir/

# Basic rsync to remote (uses SSH automatically)
[user@local ~]$ rsync file.txt admin@server:/backup/

# rsync with common options
[user@local ~]$ rsync -avz data/ admin@server:/backup/data/
sending incremental file list
./
file1.txt
file2.txt
subdir/
subdir/file3.txt

sent 1,234 bytes  received 89 bytes  2,646.00 bytes/sec
total size is 10,240  speedup is 7.74

Delta transfer: rsync compares files and only transfers changed portions. A 1GB file with 1MB changed = ~1MB transfer, not 1GB!

rsync Options

# Archive mode (-a): recursive, preserves everything
[user@local ~]$ rsync -a source/ dest/
# -a equals: -rlptgoD (recurse, links, perms, times, group, owner, devices)

# Common useful combinations:
[user@local ~]$ rsync -av source/ admin@server:/dest/     # Archive + verbose
[user@local ~]$ rsync -avz source/ admin@server:/dest/    # + compression
[user@local ~]$ rsync -avzP source/ admin@server:/dest/   # + progress + partial

# Show progress for large transfers
[user@local ~]$ rsync -av --progress largefile.iso admin@server:/data/
largefile.iso
    524,288,000  50%   10.23MB/s    0:00:24

# Delete files in dest that do not exist in source (mirror)
[user@local ~]$ rsync -av --delete source/ admin@server:/dest/

# Dry run - show what WOULD be done without doing it
[user@local ~]$ rsync -avn --delete source/ admin@server:/dest/
deleting oldfile.txt
newfile.txt

--delete is dangerous! It removes files from destination. Always do a dry run (-n) first to see what would be deleted.

rsync Trailing Slash

Critical! Trailing slash on source directory changes behavior significantly. This is the most common rsync mistake.

# WITH trailing slash: copy CONTENTS of source INTO dest
[user@local ~]$ rsync -av source/ dest/
# Result: dest/file1.txt, dest/file2.txt

# WITHOUT trailing slash: copy source directory INTO dest
[user@local ~]$ rsync -av source dest/
# Result: dest/source/file1.txt, dest/source/file2.txt

# Example with actual paths:
[user@local ~]$ ls project/
app.py  config.yaml  data/

# This copies contents into /backup/
[user@local ~]$ rsync -av project/ admin@server:/backup/
# Remote: /backup/app.py, /backup/config.yaml, /backup/data/

# This creates project dir inside /backup/
[user@local ~]$ rsync -av project admin@server:/backup/
# Remote: /backup/project/app.py, /backup/project/config.yaml

Memory aid: Trailing slash means "contents of" - like ending with /* but better. No slash means "this directory itself."

rsync Backups

# Basic backup to remote server
[user@local ~]$ rsync -avz --delete ~/data/ admin@backup:/backups/data/

# Backup with excluded files/directories
[user@local ~]$ rsync -avz --exclude='*.tmp' --exclude='cache/' \
    ~/project/ admin@backup:/backups/project/

# Exclude patterns from file
[user@local ~]$ cat exclude.txt
*.log
*.tmp
.git/
node_modules/
__pycache__/

[user@local ~]$ rsync -avz --exclude-from=exclude.txt \
    ~/project/ admin@backup:/backups/project/

# Resume interrupted transfer
[user@local ~]$ rsync -avzP --partial ~/large.iso admin@server:/data/
# If interrupted, run same command again - it resumes!

Incremental backup: After initial sync, rsync only transfers changed files. Daily backups of a 100GB dataset might transfer only MBs.

rsync SSH Options

# Specify SSH port
[user@local ~]$ rsync -avz -e 'ssh -p 2222' data/ admin@server:/backup/

# Use specific SSH key
[user@local ~]$ rsync -avz -e 'ssh -i ~/.ssh/backup_key' data/ admin@server:/backup/

# Multiple SSH options
[user@local ~]$ rsync -avz -e 'ssh -p 2222 -i ~/.ssh/mykey' \
    data/ admin@server:/backup/

# If using SSH config, just use the alias
[user@local ~]$ cat ~/.ssh/config
Host backup
    HostName backup.example.com
    User backupadmin
    Port 2222
    IdentityFile ~/.ssh/backup_key

[user@local ~]$ rsync -avz data/ backup:/backups/
# SSH config settings automatically apply!

Best practice: Use SSH config for complex connection settings. Then rsync commands stay simple and readable.

rsync Bandwidth

# Limit bandwidth (KBytes/sec)
[user@local ~]$ rsync -avz --bwlimit=1000 data/ admin@server:/backup/
# Limits to 1000 KB/s (about 8 Mbit/s)

# Useful for not saturating network links
[user@local ~]$ rsync -avz --bwlimit=5000 bigdata/ admin@server:/archive/

# Compress for slow links
[user@local ~]$ rsync -avz data/ admin@server:/backup/

# Skip compression for fast links or already-compressed data
[user@local ~]$ rsync -av data/ admin@server:/backup/

# Transfer statistics
[user@local ~]$ rsync -av --stats data/ admin@server:/backup/
Number of files: 150
Number of files transferred: 12
Total file size: 1,234,567 bytes
Total transferred file size: 45,678 bytes
Literal data: 45,678 bytes
Matched data: 0 bytes
...

Practical Scenarios

Scenario	Best Tool	Command
Copy one file quickly	scp	`scp file.txt user@server:/path/`
Browse and select files	sftp	`sftp user@server` (interactive)
Daily backup of directory	rsync	`rsync -avz --delete src/ user@server:/backup/`
Deploy web application	rsync	`rsync -avz --exclude='.git' app/ user@web:/var/www/`
Download large file (resumable)	rsync	`rsync -avzP user@server:/data/large.iso ./`
Mirror directory exactly	rsync	`rsync -avz --delete src/ dst/`
Automated script transfer	scp	`scp -q file.txt user@server:/path/`
Explore remote, pick files	sftp	`sftp user@server` then ls, cd, get

Rule of thumb: Single file = scp. Interactive browsing = sftp. Anything repeated, large, or complex = rsync.

Best Practices

Do

Use SSH key authentication for automated transfers
Always use rsync -n (dry run) before --delete
Understand trailing slash behavior in rsync
Use SSH config for complex connection settings
Compress transfers over slow links (-z)
Use --progress for large file visibility
Exclude unnecessary files from backups
Limit bandwidth on shared connections

Do Not

Use FTP or other unencrypted protocols
Run rsync --delete without dry run first
Forget the trailing slash implications
Transfer over network without encryption
Store passwords in scripts (use keys)
Ignore transfer errors in scripts
Saturate shared bandwidth
Use scp for large recurring transfers

Security first: Never use unencrypted file transfer. If you see FTP, Telnet, or rcp in use, replace them with SSH-based alternatives.

Key Takeaways

Always Secure: Use SSH-based tools (scp, sftp, rsync). Never use unencrypted FTP or rcp.

scp: Simple secure copy. scp file user@host:/path/ for quick transfers.

sftp: Interactive sessions. Connect, browse, get/put files. Great for exploration.

rsync: Efficient sync. rsync -avz src/ user@host:/dest/. Delta transfer, resume, backup.

LAB EXERCISES

Use scp to copy files to/from a remote server
Use sftp to interactively browse and transfer files
Set up rsync backup with --delete (test with -n first!)
Practice rsync with and without trailing slash
Create exclude file for rsync backup
Transfer a large file with rsync -P, interrupt it, resume

Next: Managing Network Security with Firewall