Skip to main content

SFTPGo file transfer

A lot of B2B file exchange still runs on SFTP. Nightly EDI invoices, BI exports to your accountant, signed documents dropped by a client, log ingestion from a partner app: in all these cases, a stable and auditable SFTP endpoint is simpler than a REST API.

Bunker hosts SFTPGo, an open source server that supports SFTP, FTPS and WebDAV with an encrypted S3 storage backend.

Access: your dedicated endpoint at sftp-<your-org>.getbunker.net on port 32222.

Why SFTPGo?

SFTPGo isn't a 90s FTP server bolted together. It's a modern Go binary, multi-tenant, with isolated virtual accounts, per-account quotas, full audit logs, and an HTTP API to automate account creation from your IS.

SFTP is exposed through HAProxy in high availability across three cluster nodes. Metadata (accounts, ACLs, audit) lives in a replicated Postgres. Files themselves are stored in an encrypted Ceph S3 bucket, in France.

Comparison with alternatives

CriterionBunkerSelf-hostedrsync.netAWS Transfer FamilyWeTransfer Pro
Open sourceYesYesNoNoNo
Sovereign hostingYes (France)Up to youNo (USA)No (USA)No (Netherlands)
Native multi-tenantYesDIYLimitedYesNo
S3 backendYesDIYNoYesNo
Full audit logYesDIYLimitedYesLimited
High availabilityGuaranteedYour problemYesYesYes
Per-account quotasYesDIYYesYesNo
Automation APIYesDependsNoYesNo
Base monthly cost€10/moTime + serverFrom $25/mo$0.30/h per endpoint + transfers€12/user/mo
US CLOUD ActNot applicableUp to youAppliesAppliesNot applicable

What actually matters

The source code is public, the protocols are standard. You can leave Bunker tomorrow: pull your files via SFTP, deploy SFTPGo somewhere else, repoint your DNS. No proprietary format, no painful migration.

Your data stays in France, under French law. For B2B exchanges with European partners who care about GDPR, that's a concrete argument.

Typical use cases

EDI / invoice exchange with a recurring partner. Your accountant drops supplier invoices every night, you grab them in the morning. A dedicated SFTP account, a sensible quota, one SSH key per partner.

Nightly BI exports. Your data warehouse pushes reports as CSV into an SFTP folder, your client ingests them on their side. Simpler than a REST API for large files.

Backups from legacy apps. Old app that can't speak S3 but knows how to push to SFTP? Point it at your Bunker endpoint, files land in Ceph, you gain encryption and retention without touching the code.

File ingestion from external partners. A vendor sends you images, PDFs, XML. You give them an SFTP account with a drop folder, a cron job on your side reads the folder and triggers your pipeline.

Temporary public drop via WebDAV. Need to expose a read-only folder to a third party for an audit? WebDAV with a scoped account, a quota, an expiry. Cleaner than a shared Drive link.

Security

Each account is isolated in its own virtual namespace. No access to other tenants' files, even at the backend level. SSH keys are stored encrypted, passwords hashed (bcrypt). The audit log records every connection, every transfer, every authentication failure: useful when an incident happens.

On the network side, SFTP goes through HAProxy with session persistence, which prevents cuts on large transfers. FTPS is disabled by default (well-known design flaw with NAT) but can be enabled on request if your legacy stack requires it.

Why not self-host?

You can install SFTPGo on a €5/month VPS. But:

AspectSelf-hostedBunker
High availabilitySingle VPS, no HA3 HAProxy replicas + Postgres HA
Storage backendVPS local diskReplicated Ceph S3
Metadata backupsDIYAutomatic
Security updatesYour jobApplied
Centralized audit logDIYIncluded
Quotas and multi-tenantDIYNative
24/7 monitoringDIYIncluded
Real cost (with your time)€5/mo + 2-4 h/mo of ops€10/mo

At €10/month, the math is simple: your time is worth more.

Quick start

1. Subscribe

  1. Go to console.france-nuage.fr and create an account
  2. Activate the SFTPGo service from the console
  3. You receive your dedicated endpoint and admin credentials
  4. Log into the WebAdmin interface to create your virtual accounts

2. Create an SFTP account

From the WebAdmin interface:

  1. Go to Users > Add
  2. Set the account name (e.g. partner-acme)
  3. Choose an authentication method: password, public SSH key, or both
  4. Set the quota (e.g. 5 GB)
  5. Set the virtual root folder (e.g. /acme)
  6. Save

3. Connect over SFTP

From FileZilla, Cyberduck, WinSCP or any SFTP client:

  • Host: sftp-<your-org>.getbunker.net
  • Port: 32222
  • Protocol: SFTP
  • User: partner-acme
  • Auth: password or SSH key

From the command line:

sftp -P 32222 [email protected]

Or with rsync:

rsync -avz -e "ssh -p 32222" ./local-dir/ [email protected]:/acme/

4. Automate via the API

SFTPGo exposes an HTTP REST API to create, edit or disable accounts from your IS. Handy if you onboard dozens of partners: trigger account creation from your back office instead of clicking around the UI.

API docs: https://sftp-<your-org>.getbunker.net/openapi

Migration from your current SFTP server

If you already run an SFTP server (Linux + OpenSSH, or self-hosted SFTPGo):

  1. Export your account list (SQL script if Postgres, YAML file for simple configs)
  2. Collect your users' public SSH keys
  3. Recreate the accounts in SFTPGo Bunker via the API
  4. Sync existing files with rsync: rsync -avz ./old-sftp/ [email protected]:/
  5. Repoint your old endpoint's DNS to the new one
  6. Keep the old server in read-only for two weeks while your partners switch over

Known limits

The access port isn't the standard 22 but 32222 (port 22 is reserved for the Kubernetes cluster). Most SFTP clients handle this fine, but some legacy apps hardcode port 22 — in that case, talk to support about a dedicated port forward.

FTPS is disabled by default. If your partner requires FTPS (banking, government), we can enable it on request.

S3 storage has a slightly higher latency than local disk on very small files (< 100 KB). For very high-frequency micro-file workloads, let's chat to tune the configuration.

Next steps