The average cost of data breaches continues to grow every year. In 2024, statistics indicate that this cost has grown by the largest margin ever at 10% from 2023.
The truth is, your organization could easily become part of this statistic because malicious actors are always snooping around on networks to find vulnerabilities. Having a secure way to transfer or share data is essential to protecting your organization.
The Secure Copy Protocol (SCP) is one way your organization can securely manage these transfers. It’s a command-line utility built on the Secure Shell (SSH) protocol that lets you securely transfer files between hosts.
SCP relies on SSH to encrypt file contents and user credentials during transmission. It is worth noting that encryption is an inherent feature of SSH and not SCP specifically.
Prerequisites
There are several requirements you should meet to use the SCP command.
- You should have basic command-line knowledge, particularly Linux terminal commands.
- You should also have SSH installed and configured on the machines sharing the files.
- You need authentication details, such as username and password or SSH login/keys.
Basic SCP Command Structure
The basic syntax for the SCP command is:
scp [options] source_file user@destination_host:path/to/destination
Where:
- scp is the command itself.
- [options] represent the various flags that modify the behavior.
- source_file represents the file or directory you want to copy.
- user@destination_host is the username and remote host.
- path/to/destination is the path on the remote server that will store the file.
Example 1: Copying a File from Local to Remote
Sometimes, you will need to copy files from a local client to a remote server, such as when backing up files or sending content to a web server.
To do this, you can use:
scp /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
Say, for instance, you want to transfer a project report saved as report.txt in the documents folder on your local machine to a secure folder named secrets.folder on a remote server. Also, assume that the SSH username is strongdm and 192.168.1.10 is the IP address of the remote server. You’d run:
scp /home/local_user/documents/report.txt strongdm@192.168.1.10:/home/remote_user/secrets.folder/
Example 2: Copying a File from Remote to Local
If you need to access and save files stored on a remote server for local analysis or editing, you can use the following SCP command:
scp user@remote_host:/path/to/remote/file.txt /path/to/local/directory/
Say you need to download a log file named server_logs.txt from a remote server and save it on a local file named .documents. The SSH username is strongdm, and the IP address of the remote server is 192.168.1.10.
The command to save it locally would be:
scp strongdm@192.168.1.10:/var/log/server_logs.txt /home/local_user/documents/
Example 3: Copying a Directory Recursively
Copying a directory recursively simply means creating an exact replica of the directory structure — its subdirectories and files within them in a new location.
You can perform this action using the following scp command:
scp -r /path/to/local/directory/ user@remote_host:/path/to/remote/directory/
Let’s examine an example of a recursive scp command:
scp -r /path/to/local/documents/ strongdm@192.168.1.10:/path/to/remote/documents/
The -r (recursive) option tells scp to copy everything inside the local directory “documents” to the destination directory on the server named “documents.”
Example 4: Using SCP with a Specific Port
If your remote server isn’t listening on the default SSH port (22), you can use the _P option to specify the port.
For instance, if your command looks like this:
scp -P 2222 /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
The -P option tells scp to listen via SSH port 2222 for the connection to move file “file.txt” from a local system to a remote server.
Example 5: Preserving File Permissions and Timestamps
You can achieve this by using the -p option as shown below:
scp -p /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
The -p option tells the scp command to preserve file.txt’s original attribute during the transfer from the local client to the remote server.
Example 6: Copying Multiple Files at Once
You can list all the files you need to transfer in the command as shown below:
scp /path/to/file1.txt /path/to/file2.txt user@remote_host:/path/to/remote/directory/
This command will transfer file1.txt and file2.txt at the same time from the local system to the remote server’s specified directory.
Example 7: SCP with SSH Key Authentication
SSH key authentication removes the need to enter a password each time when copying files between computers or between local clients and remote servers.
To use this method, you must first generate and set up an SSH key on the remote server. Then, you can use the -i flag in SCP to specify the private key file.
To use SSH keys with SCP, first make sure you have generated and set up an SSH key on the remote server.
Here’s how to generate SSH keys:
ssh-keygen -t rsa
Then, copy the public key to the remote host:
ssh-copy-id user@remote_host
Say the private key is ssh-id-rsa. You can now use the -i flag in SCP to specify the private key file like this:
scp -i /path/to/ssh-id-rsa /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
Example 8: Limiting Transfer Speed
In cases where you’re transferring very large files and worry about network issues, you can limit the transfer speed by using the -| option.
Take, for instance, this example:
scp -l 900 /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
This command limits the transfer speed of file.txt to 900 Kbit/s (kilobits per second).
Example 9: Transferring Files Verbosely
Sometimes, you may need to track the inner workings of the file transfer between systems, such as the connection process and the debugging information about SSH.
To do so, you can leverage the -v option, which tells scp to enable verbose mode.
scp -v /path/to/local/file.txt user@remote_host:/path/to/remote/directory/
Example 10: Copying Between Two Remote Servers
SCP doesn’t natively support direct file transfers between two remote servers. To achieve this, you would typically first download the files to your local machine and then upload them to the second server:
You can use commands that resemble the following:
scp user1@host1:/path/to/source/file.txt
scp file.txt user2@host2:/path/to/destination/
Common SCP Command Errors
At some point, you will encounter errors and issues when working with scp commands.
Permission Denied
This error might mean that you lack sufficient privileges on the destination directory. To solve this, check file permissions to ensure the file/directory is readable (on the source) or writable (on the destination) for your user account by using the following commands:
To make the file readable on the source:
chmod +r /path/to/source/file.txt
To grant write permissions on the destination:
chmod +w /path/to/destination/ -R
Connection Refused
This usually means that you entered the wrong SSH port setting. Verify SSH port settings. The default port for SSH is usually 22, but if the SSH server uses a non-standard one, specify with –p as shown below:
scp -p 2222 user@host:/path/to/source /path/to/destination/
This command specifies that the SSH port is 222.
Alternatively, if a firewall is blocking the port, adjust the rules:
For default port 22:
sudo ufw allow 22/tcp
For custom port such as 222:
sudo ufw allow 2222/tcp
Timeout
This error can occur due to network issues or incorrect host details, such as the IP address. Check the host details, such as the IP address and network status. You can test connectivity with:
ping <host>
Limitations and Alternatives to SCP
SCP presents several limitations, including:
- While SCP commands are usually simple and effective for basic transfers, they may not be suitable for specific scenarios.
- As of OpenSSH v8.8, SCP is considered deprecated in some environments due to its reliance on the outdated Remote Copy Protocol (RCP). This protocol has notable security limitations, such as injection vulnerabilities and lack of support for many modern file-transfer features, like integrity verification and partial synchronization.
- SCP doesn’t support resuming interrupted file transfers. If this occurs, you must start from the beginning, which can lead to inefficiencies, especially for large files.
There are several alternatives you can use should you encounter some of these limitations.
- rsync offers advanced features like synchronization, bandwidth control, and incremental transfers. The most distinctive advantage is its ability to quickly recover after errors.
- sftp allows users to navigate directories, upload and download files, and perform operations like renaming or deleting files interactively.
- ftp features a familiar command line and also has graphical tools for users without technical knowledge.
How StrongDM Enhances Secure File Transfers
While SCP facilitates secure file transfers, manually managing SSH access keys for these transfers can be overwhelming. Wasted time and lost productivity become issues if your organization deals with large databases.
With StrongDM, you get:
- Centralized Access Management: Unlike SCP, StrongDM provides a unified platform to manage user access across servers and databases.
- Enhanced Security: StrongDM ensures end-to-end encryption for all file transfers. This helps eliminate the vulnerabilities associated with SCP.
- Auditing and Monitoring: SCP lacks logging capabilities, which are essential for visibility. StrongDM logs every action performed during a file transfer.
- Simplified Workflow: No need to configure multiple tools. StrongDM streamlines operations by supporting secure file transfers alongside database and server access.
To see our product in action and how it can serve you, book a demo today.
