Using SCP to Securely Upload Files and Directories to Remote Server

Secure Shell (SSH) is a common protocol used to access or login to remote servers. The protocol is widely supported across Operating Systems. If you are Windows user, you may have heard and been using Putty, which is a SSH client for Windows. Windows 10 users can use Open SSH client that can be installed via new feature installation. UNIX OSes usually come with native SSH client support, so additional software installation is not needed.

The common command used to login to a server via ssh is as follows:
-The server has a domain name (for e.g.

local$ ssh

-The server only has IP address or an IP address that maps to a domain name (for e.g. ->

local$ ssh user@

It is a recommended approach to add -v (verbose) flag so that we will know what is currently happening during the login process.

local$ ssh -v
local$ ssh -v user@

The standard port for SSH is port 22. If the remote server uses different port for SSH, we need to specify this in the SSH command by adding -p (port) flag. Let’s say the remote server enables SSH at port 202. Our SSH command now becomes:

local$ ssh -v -p 202 
local$ ssh -v -p 202 user@

If public key infrastructure (PKI) is enabled for the SSH access to the remote server, we then need to supply the private key to certify that we are in the “client whitelist”. Depending on how the private key was generated (e.g. using ssh-keygen, server creation wizard, etc) and its format, the additional flag -i (identity file) should be added into the SSH command. Let’s assume the private key name is server-priv-key.pem, the previous SSH command is now changed into:

local$ ssh -v -p 202 -i /path/to/server-priv-key.pem
local$ ssh -v -p 202 -i /path/to/server-priv-key.pem user@

SSH cannot be used to transfer or upload files from the current host to the remote server. Traditionally, we may opt to FTP. However, FTP is not a secure protocol. The file will be uploaded unencrypted thus making it more vulnerable to network attack. An adversary (attacker) may capture the FTP traffic and immediately decode the content of the file(s) being uploaded.

Let’s say we are uploading customer list in a text format via FTP and the network is already tampered. Since the file is unencrypted when being uploaded, the attacker will immediately obtain the list can use it for malign purpose.

Hence, it is recommended to use secure protocol like SCP to upload the file to the remote server. This protocol will encrypt the file before getting uploaded to the remote server. This way, an attacker in the network will not be able to see the original file content because it is already encrypted when being sent over the network.

Secure File Upload with scp

Unless the remote server is configured differently, it shall also allow secure file upload using Secure Copy protocol (SCP) besides SSH access. With scp we can upload either files and folders to remote server.

Let’s say, we are using Mac OS. The current directory is /Users/macuser/upload. We have a file named myfile.txt that we want to upload to the remote server. The destination folder in the remote folder is /home/ubuntu/files.

SCP with standard SSH port

If the SSH connection to remote server is using the standard port (port 22), we then upload the file using this command:

mac@local ~$ scp -v ~/upload/myfile.txt
mac@local ~$ scp -v /Users/macuser/upload/myfile.txt ubuntu@

In the above commands, we supply -v flag to execute scp client in verbose mode. The ~ (tilde) sign refers to the user’s home directory that is defaulted to /Users/macuser (given that the user account is macuser) in Mac OS or /home/ubuntu (given that the user account is ubuntu). After being uploaded to the remote server, the file path will be /home/ubuntu/files/myfile.txt.

If we need to provide the private key, we should supply -i tag, similar with the SSH command. The scp command is now changed into:

mac@local ~$ scp -v -i /path/to/server-key.pem  ~/upload/myfile.txt
mac@local ~$ scp -v -i /path/to/server-key.pem /Users/macuser/upload/myfile.txt ubuntu@

What if we want to upload a directory? Now consider a directory named mydir located in /Users/macuser. To upload this directory, we should supply the -r (recursive) tag. If we want the directory to be uploaded into /home/ubuntu/files/mydir, we then invoke the scp command as follows:

mac@local ~$ scp -v -i /path/to/server-key.pem -r ~/upload/mydir
mac@local ~$ scp -v -i /path/to/server-key.pem -r /Users/macuser/upload/mydir ubuntu@

If we want to upload the content of mydir directory, we can provide * wildcard. By adding this wildcard, mydir directory will not be created in the remote server and instead the directory content will be uploaded to the remote directory destination.

mac@local ~$ scp -v -i /path/to/server-key.pem -r ~/upload/mydir/*
mac@local ~$ scp -v -i /path/to/server-key.pem -r /Users/macuser/upload/mydir/* ubuntu@

SCP with non-standard SSH port

When using SSH to connect to remote server, we will use -p flag to specify the SSH port. This is different with SCP. Instead of -p flag (lowercase p), we need to supply -P flag (uppercase P) to specify the SSH port.

Let’s say the SSH port is 202. For single file upload, the SCP command now becomes:

mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem  ~/upload/myfile.txt
mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem /Users/macuser/upload/myfile.txt ubuntu@

For directory upload with directory creation, the SCP command is now changed into:

mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem -r ~/upload/mydir
mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem -r /Users/macuser/upload/mydir ubuntu@

And finally, for directory content upload, we will have the following SCP command:

mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem -r ~/upload/mydir/*
mac@local ~$ scp -v -P 202 -i /path/to/server-key.pem -r /Users/macuser/upload/mydir/* ubuntu@

How is your experience using SCP so far? Simply share your experience in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *