SFTP vs FTPS vs AS2 — Which Secure File Transfer Protocol Should You Use?
SFTP vs FTPS vs AS2
Section titled “SFTP vs FTPS vs AS2”SFTP, FTPS, and AS2 are not interchangeable. Each protocol uses a different trust model, operates under different assumptions, and fits different exchange patterns.
Quick comparison
Section titled “Quick comparison”| SFTP | FTPS | AS2 | |
|---|---|---|---|
| Transport | SSH | FTP + TLS | HTTP/S |
| Trust model | SSH host key | X.509 TLS certificate | X.509 certificate roles |
| Exchange model | directory polling | directory polling | message delivery |
| MDN/acknowledgement | no | no | yes |
| Message signing | no | no | yes |
| Payload encryption | channel only | channel only | optional per-message |
| Typical use | B2B file directory exchange | legacy FTP with TLS | EDI, regulated B2B messaging |
SFTP runs over SSH. The connection is encrypted by the SSH protocol. File exchange is directory-based — you list, get, and put files on a remote server.
Trust: based on SSH host key verification. You verify the server’s public key before exchange.
Choose SFTP when:
- the partner provides SSH-based access to a file directory
- you need a simple, well-understood pickup or delivery mechanism
- message signing or per-message encryption is not required
Do not choose SFTP when:
- the partner explicitly requires AS2 for EDI
- MDN-based acknowledgement is contractually required
FTPS is FTP with TLS encryption. It combines the legacy FTP command structure with a TLS handshake for security.
Trust: X.509 TLS certificate validation. You verify the server against a CA certificate or by fingerprint.
Choose FTPS when:
- a partner requires FTP-compatible behavior and uses explicit TLS
- you are maintaining compatibility with existing FTP infrastructure
- passive mode is supported at the network boundary
Do not choose FTPS when:
- the partner supports SFTP (SFTP is simpler to configure and does not have FTP’s data channel complexity)
- implicit TLS mode (port 990) is required — the current Xferity implementation supports explicit mode only
AS2 is a message-oriented protocol over HTTP/S. Unlike SFTP and FTPS, it is not about polling a directory. Each exchange is a discrete signed and/or encrypted message delivered to an endpoint.
Trust: X.509 certificates for signing, encryption, and HTTPS transport. There are multiple certificate roles in a single exchange.
Choose AS2 when:
- a trading partner explicitly requires AS2
- message signing is contractually required
- MDN receipt confirmation is needed
- you operate in an EDI supply chain context (retail, healthcare, logistics, financial services)
Do not choose AS2 for simple file pickup — it adds complexity (certificate management, MDN handling, Postgres-backed persistence) that is not justified unless the partner actually requires it.
Practical selection guide
Section titled “Practical selection guide”Partner requires AS2 and MDNs? → AS2Partner requires FTPS? → FTPSPartner provides SFTP? → SFTP (default for new B2B directory exchange)No partner requirement yet? → SFTP for simplicity