How to Securely Transfer Files in Linux Using SCP

by
Spread the love

When transferring files to a remote Linux server, you have a few options. One of the best way is to use a program called Secure Copy, or SCP, that runs over the SSH protocol to quickly transfer files over your network to a remote system. This tutorial shows you how to transfer files securely using SCP in Linux.

Content

Configuring SSH

On your remote server, you’ll need to install an SSH server. The most common on Linux is the OpenSSH server. To install it, run one of the following commands:

# Debian/Ubuntu-based server
sudo apt install ssh
 
# Fedora
sudo dnf install openssh

Depending on your distro, you may need to allow SSH through some software firewalls. On Ubuntu, this problem is nonexistent, but on Fedora, you’ll also have to run the following commands: 

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Connecting to Your System via SSH

Before you can connect via SSH, you need to find out the IP address of the remote server. On graphical servers, the IP address is shown in the Network applet in System Settings. On most servers, you should use the ip command in the terminal. 

ip addr

In the output, look for the line starting with inet under ethX or enpXsy, depending on the way your network interface is connected to the system. In my case, it’s 192.168.68.108.

To test the SSH connection, move to a different Linux machine and type:

ssh user@remote.machine.ip.address

Change the “user” to the actual username in the server.

Enter that account’s password, and you’re in business. If you get a question about the “authenticity of host can’t be established,” just answer “yes.” It is a security check designed to make sure that you are connecting to your actual server and not an impostor. You should see the same prompt come up on your client system that you see when logging directly into the server, which means your connection was successful. You should also configure your SSH connections for maximum security, or even set up two-factor authentication, before proceeding to the next step.

Using SCP to Transfer Files

Now that you have tested the SSH connection, start copying files between the two machines. Secure copying is achieved using the scp command. The basic format of the scp command is:

scp /PATH/TO/FILE USER@IP-ADDRESS:PATH/TO/DESIRED/DESTINATION

For example, to copy the file “backup.tar.gz” from the local machine to the “backups” folder in the home directory of user “ramces” on the remote server with the IP address of 192.168.68.165, use:

scp backup.tar.gz ramces@192.168.68.165:~/backups/

Similar to when you connect using ssh, you will be prompted for the password. You won’t be prompted for the username, as that was specified in the command.

You can also use wild cards like the following:

scp *.tar.gz ramces@192.168.68.165:~/backups/

To copy a file from the remote server to the local machine, just reverse the parameters:

scp ramces@192.168.68.165:~/backups/backup.tar.gz ./

Notice the dot at the end of the command? It means “the current directory,” as it does with the standard cp or mv commands. You could just as easily specify some other directory if you wanted to. 

scp -r ramces@192.168.68.165:~/backups/ backups-from-server/

And the same with wild cards:

scp ramces@192.168.68.165:~/backups/*.txz ./

To recursively copy a directory to a remote server, use the -r option:

scp -r backups/ ramces@192.168.68.165:~/backups/

To copy a recursive copy of a directory from the remote server to the local machine, use:

scp -r ramces@192.168.68.165:~/backups/ ./

Compressing the File Transfer in SCP

Aside from basic copying, it is also possible to modify how SCP behaves during these file transfers. For example, you can use the -C flag to compress the data that SCP sends to remote clients:

scp -C backup.tar.gz ramces@192.168.68.165:/home/ramces/

This option works by compressing each data packet as it is being sent through the SCP program. As such, this can be incredibly useful if you are in a bandwidth-limited connection and want to reliably send a file to a remote server.

Similar to the options above, you can also use -C alongside the -r flag to recursively compress and transfer files to a remote machine. For example, the following command compresses and retrieves the “backup.tar.gz” file from my remote server:

scp -Cr ramces@192.168.68.165:/home/ramces/backups /home/ramces/

Optimizing a Data Transfer with SCP

For the most part, SCP attempts to use the AES-128 encryption algorithm for all of its file transfers. However, there are instances where this particular algorithm will not be suitable for the files that you want to transfer.

Knowing that, it is possible to further optimize and secure SCP by directly changing the cipher algorithm for a specific transfer. To do this, you need to use the -c flag followed by the cipher that you want to use.

For example, the following command transfers the “backup.tar.gz” file to my remote server using AES-256:

scp -c aes256-ctr ./backup.tar.gz ramces@192.168.68.165:/home/ramces/

Further, the -c option also allows you to provide a list of ciphers that you want to use for a particular file transfer. For example, the following command uses both AES-192 and AES-256 while transferring the “backup.tar.gz” file to my remote server:

scp -c aes192-ctr,aes256-ctr ./backup.tar.gz ramces@192.168.68.165:/home/ramces/

Limiting Bandwidth Usage in SCP

While compressing file packets can help you use SCP in poor network conditions, it is also possible to limit the bandwidth that the program uses during a transfer. This is helpful in cases where you are using a metered connection and do not want SCP to dominate your network bandwidth.

To limit the program’s effective bandwidth, you need to use the -l flag followed by the upper limit that you want in kilobit per second (Kb/s). For example, running the following command will transfer the “backup.tar.gz” file to my remote server at an effective bandwidth of 1,600 Kb/s:

scp -l 1600 ./backup.tar.gz ramces@192.168.68.165:/home/ramces/

Remote to Remote Transfer with SCP

Aside from copying local files to your remote server and vice versa, you can also use SCP to manage multiple remote servers from your local machine, as SCP only deals with file transfer and does not discriminate between a local and remote machine.

To transfer between two remote servers, you need to explicitly state the username and the address of each of those machines. For example, running the following command will transfer my “remote-backup.tar.gz” file between my two remote servers:

scp ramces@192.168.68.108:/home/ramces/remote-backup.tar.gz ramces@192.168.68.165:/home/ramces/

Using a Proxy with SCP

By default, SCP uses your local machine’s IP address whenever it transfers files between different hosts. While this is perfectly fine in normal situations, it can be a problem if your local network restricts any SCP activity. One quick way to deal with this issue is by passing your local connection through an SSH proxy.

To do this, you need to use the -o flag followed by the ProxyCommand option. This allows you to create a basic SSH connection to a new machine which will, in turn, execute your SCP command. For example, running the following will create a new SSH proxy with a remote machine and transfer the “backup.tar.gz” file using it:

scp -o "ProxyCommand ssh ramces@192.168.68.108 nc %h %p" ./backup.tar.gz ramces@192.168.68.165:/home/ramces/

Changing the Default Port in SCP

Aside from creating a basic SSH proxy, you can also change the default port for SCP. This is especially helpful if you are securing your Linux server and do not want to expose any default ports.

To use SCP with a different port, you need to use the -P flag followed by the port number that you want to use. For example, the following command will recursively copy my “backup” directory and connect to my remote server using port 2222:

scp -r -P 2222 ./backup ramces@192.168.68.165:/home/ramces/

Using the SCP Quiet Mode

Lastly, it is also possible to completely remove any terminal output from an SCP command. This is especially useful if you want to create a non-interactive script that will run in your machine. Not only that, but you can also fully automate this process by creating a cronjob and transferring a private SSH key to your server.

To create a quiet SCP transfer, you need to use the -q flag. For example, the following command will transfer my “backup.tar.gz” file silently to my remote server:

scp -q ./backup.tar.gz ramces@192.168.68.165:/home/ramces/

Frequently Asked Questions

My remote to remote transfer in SCP does not work. How can I fix this?

This issue is most likely due to a blocked port in one of your remote machine’s configuration files. To fix this issue, make sure the default port for SSH is open in both of your machines.

This issue can also be due to one of your remote machines being behind a CG-NAT connection, so any outside connection to your remote machine will not resolve properly. To fix this, you need to use a Virtual LAN program, such as Yggdrasil, that will allow you to punch through CG-NAT.

I ran an SCP proxy and the remote host closed the connection. What can I do?

This problem is most likely due to an issue with your proxy machine. To properly start an SSH proxy, make sure that the machine you want to use has the OpenSSH server and netcat. To install these programs in Ubuntu, run the following command: sudo apt install ssh netcat.

Is it possible to know all of the available ciphers for SCP?

By default, the SCP program heavily relies on the SSH protocol for its cryptographic functions. Because of that, you can use the SSH program to print a list of the ciphers that you can use alongside SCP. For example, you can run ssh -Q ciphers to print a brief list of all the available ciphers in your machine.

Image credit: Unsplash. All alterations and screenshots by Ramces Red.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe


Ramces Red
Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Comments are closed

Related posts:

How to Make Burnable DVD Images on Linux with DevedeNG
How to Use Email within Emacs
How to Display the Weather Forecast on Linux

Related Posts:

Related posts:

  1. How to Create Impress.js Presentations on Linux
  2. How to Configure ZRAM on Ubuntu Linux
  3. How to Create Hidden Filesystems in Linux with Shufflecake
  4. Use Scrcpy to Mirror and Control Android on Linux