SCP (Secure Copy Protocol): What is SCP?
If you want to transfer data between two computers, there are a variety of tools and technologies available to do so. However, with the wide selection of client programs and available protocols, it can be difficult to find the right solution for the desired data transfer, especially for beginners and less experienced users. This is particularly true when sensitive data needs to be sent which requires more than a simple transfer from point A to point B. If this is the case, you should only be considering methods that offer an appropriate level of security.
One of these methods is performing data transfer via the Secure Copy Protocol (SCP) which was specially designed for the secure transfer of digital information. In the following article, you will learn what the SCP protocol is and how it works.
What is SCP?
Secure Copy Protocol (SCP), often referred to as Secure Copy, is a protocol for computer networks that ensures the secure transfer of data between a local host and a remote host or alternatively between two remote hosts. It is based on the RCP commands (remote copy) published as part of the Berkeley r-commands by the University of California, Berkeley back in 1982. These allow you to manage data transfer using command lines.
SCP provides an authentication procedure between the two hosts as well as encryption for the transfer. In this way, the protocol ensures both the security and the authenticity of the transferred data. SCP protocol uses SSH (Secure Shell) for both of these security measures. SSH is also used by other transfer protocols such as FTP (or SFTP). The TCP port used for SCP transfer is SSH standard port 22.
Secure Copy is cross-platform. There are versions and programs for all standard Windows, macOS, and Linux operating systems as well as for Android and iOS.
How does data transfer via the SCP protocol work?
Secure Copy requires authentication from both hosts involved. Before you can perform a transfer using the protocol, you must first establish an SSH connection between the local host and the targeted remote host. This requires either the SSH login information or an authorized key for the public key authentication.
If you are going to use SCP to perform a file transfer between two remote hosts, you will need to establish an SSH connection between the local host running the SCP client and the remote host which will act as the source host in this instance.
Once the SSH connection between the two hosts has been established, the SCP client will start a Secure Copy process with two different modes available:
- Source mode: An SCP request in source mode reads the files from the targeted remote host and sends them back to the client.
- Sink mode: If sink mode is used for requests via the SCP protocol on the client side, this signals to the remote host that there is incoming data to be written on the remote host.
SCP clients usually use the -f flag (from) to trigger source mode. To trigger sink mode to transfer data to the targeted remote host, the -t flag (to) is used instead.
Communication between Secure Copy and Secure Shell may be disrupted by welcome messages that appear after a successful SSH login. SCP is not prepared for these text messages and interprets them as error messages resulting in it blocking the transfer.
Where and how is SCP used? (example included)
Secure Copy is natively supported by all standard operating systems and provides an excellent security solution by including SSH. Its combination of authentication and encryption puts it on par with the popularly used SFTP which also uses Secure Shell’s security mechanisms. Since SCP also outperforms secure FTP in terms of transfer speed, the protocol is an excellent alternative when you need to transfer files quickly and securely to a web server or when sensitive data needs to be distributed in a local network (e.g. a company network).
In 2019, the US National Institute of Standards and Technology published an official security report which revealed vulnerabilities in different SCP applications. The report specifically addressed the potential threat of a man-in-the-middle attack during an SCP transfer which allows the attackers to overwrite files in the target directory or introduce malware. The clients affected include Putty PSCP, OpenSSH, and WinSCP.
In addition to the previously mentioned clients which you can download for free online, macOS, Windows, and Linux also have a standard built-in Secure Copy client called “scp.” Therefore, the fastest and easiest way to transfer data via SCP protocol is using the command prompt window or terminal, as demonstrated in the following two example commands:
scp SourceFile test@host:directory/TargetFile
This command copies the source file into the specified directory on the target host with the user logged in via SSH using the name “test.” If you need to transfer a file from a remote host to the local host participating in SCP, you would need the following command:
scp test@host:directory/SourceFile TargetFile
An overview of the most important SCP commands
In the previous examples, you already saw the basic syntax for the command lines used to manage native SCP clients in Windows and other operating systems. However, both examples of code only show a simple process for copying without any of the additional options the scp tool offers. If you add these options to the command, they should precede the file and host information so that the full syntax looks like this:
scp [option(s)] [SourceFile] [user@host:directory/TargetFile]
scp [option(s)] [user@host:directory/SourceFile] [TargetFile]
The following table summarizes the most important options for configuring Secure Copy requests with scp:
scp option | Function |
---|---|
-1 | Specifies the use of version 1 of the SCP protocol |
-2 | Specifies the use of version 2 of the SCP protocol |
-C | Activates gzip compression of the encrypted SSH connection |
-B | Initiates the session without requesting a password |
-l limit | Sets a bandwidth limit for the file transfer (kb/s) |
-o ssh_option | Enables the definition of concrete SSH options such as encryption |
-P port | Specifies the port on the remote host’s side over which the connection is to run |
-p | Preserves the meta information of the original file (e.g. modification and access times) |
-q | Hides the progress bar during transfer |
-r | Recursively copies entire directories, including all sub-directories |
-S program | Specifies the program to be used for the encrypted connection (the program must understand SSH options) |