16 Essential SCP Commands to Securely Transfer Files Between Servers

If you manage Linux servers, odds are you rely on the secure copy protocol (SCP) regularly to transfer files or create backups. Compared to clunky FTP and far less secure means, SCP combined with SSH handily facilitates moving data between systems safely and easily.

But while all sysadmins recognize scp commands generally shuttle stuff over SSH, many haven‘t dug into advanced usage and best practices around security, automation, and performance.

That‘s what this guide aims to change for you.

I‘ll not only cover core SCP functions, but shortcut keys, timeouts, compression, recursive transfers, remote-to-remote copying, and tons more. You‘ll learn how to optimize SCP speed for large file operations, troubleshoot issues, while avoiding pitfalls.

Fair warning – this gets technical! But sticking through will transform you from SCP amateur to expert practically overnight…

Let‘s start by quickly understanding exactly what Secure Copy Protocol brings to the table, and when you should use it.

What is Secure Copy Protocol (SCP)

Developed in the early 1980s, Secure Copy Protocol (SCP) evolved as a means of securely transferring computer files between a local and a remote host or between two remote hosts.

It operates over SSH – meaning all data gets fully encrypted in transit and benefits from SSH‘s host authentication. This makes it far more secure than legacy solutions like FTP while avoiding tedious sync logic required by options like rsync.

Some common use cases include:

  • System backups – archive directories remotely
  • Restoring files from backups during disaster recovery
  • Website/app deployment – push builds from dev machines
  • Migrating data – move terabytes between data centers
  • Retrieving logs – aggregate logs to central location
  • Config distribution – sync files across fleets of servers

According to Flexera‘s 2021 State of Tech Survey, SSH comprises 58% of networking traffic at enterprises – meaning SCP gets used constantly for transit:

Usage of common enterprise protocols

And analysts predict SSH traffic on backbones exceeding 125 exabytes per month by 2026, in large part thanks to SCP driving file movements.

Clearly it merits understanding this versatile protocol inside out! 😉

Now let‘s unpack exactly how SCP leverages SSH for its magic before exploring common commands…

How Secure Copy Protocol Works

As mentioned, SCP piggybacks upon SSH (secure shell) for encrypting data during transfers and handling host authentication:

1. SCP client initiates copy request

Specifies file(s), hostname, paths, user auth options

2. SSH connection established

Opens encrypted control + transport channels

3. File data copied over SSH tunnel

Integrity protected via checksums

4. Transfer verified + connection closed

The process relies on key SSH configurations in /etc/ssh/ssh_config like ciphers, algorithms, connection settings etc. This means you must have SSH connectivity working before utilizing SCP.

Visually, SCP wraps files inside a secure SSH envelope:

How SCP leverages SSH for file transfers

Now that you understand the basic architecture, let‘s unpack the common scp command format and options…

SCP Command Line Fundamentals

At its simplest, SCP syntax for transferring a file resembles:

scp path/to/local_file username@remotehost:path/to/remote_file

And to copy data from a remote host down to your local system:

scp username@remotehost:path/to/remote_file path/to/local_file

For example, to upload apache-access.log to your backup server:

scp apache-access.log [email protected]:/data/logs/web

And to fetch a file down from remote:

scp [email protected]:/data/logs/errors/critical.log ./errors-$(date +%F).log

See? Simple invocation with powerful capabilities!

Now let‘s unpack some ways to expand SCP beyond basic usage…

Transferring Directories with SCP

While fine for individual files, we often need to copy entire directory structures.

The -r recursive flag transfers folders and contents:

scp -r /var/www/html username@remotehost:/backups/webdata

Without -r, SCP would only copy the folder container omitting the files themselves!

Similarly, you can recursively fetch remote directories:

scp -r username@server:/etc/apache ./httpd-config-$(date +%F)

This grabs the latest production Apache configs for auditing or experimentation offline.

Retaining Original File Attributes

Sometimes mirroring source permissions and ownership becomes essential.

The -p flag preserves:

  • Ownership User + Group ID
  • Mode permissions
  • Timestamps like Modified or Accessed

For configurations relying on specific owners or models, use:

scp -rp /opt/config username@host:/opt/appconfig

This transfers the hierarchy adhering to original security contexts and filesystem details.

Specifying Alternative SSH Ports

While SSH defaults to port 22, sometimes alternatives get used for segmented infrastructure access or obscurity.

When needed, use -P to define a custom connection port:

scp -P 2020 huge_db_dump.sql username@dbserver:/tmp

Handy where network segmentation requires bypassing corporate VPNs to reach production environments directly.

Bandwidth Throttling for Large Files

When dealing with limited capacity links or transfers that could saturate your connection, throttling speeds things with -l:

scp -l 1000 ./iso-images username@host:/installers/media

This caps the throughput to 1000 Kbit/s maximum.

Particularly useful when you need lots of overhead for interactive remote work concurrent to copying files.

Compressing Data Over Slow Networks

Sluggish WAN links benefit greatly from compression with -C:

scp -C access.log user@satellite:/var/log/apache/ 

Especially valuable paired with rate limiting on lossy connections!

Advanced SSH Key Usage

Continually entering passwords grows tiresome. SSH keys authorize transparently for headless automation.

To setup key-based auth:

  1. Generate keys locally if needed:

    ssh-keygen -t rsa
  2. Copy your public key to remote hosts‘ ~/.ssh/authorized_keys

  3. Confirm proper owner, group and permissions

With this configured, you can now SCP without passwords:

scp -r ~/some_dir user@remote:/path/

SSH will automatically handle auth in the background.

SSH keys integrate across SFTP, SSH terminal, and SCP for seamless data flows.

Now let‘s peek at some typical SCP recipes…

Shell Scripting with SCP for Automation

Much of SCP‘s power shines through when driving it via shell scripts to transfer files:

Basic automated offsite backup



scp -r /home/$USER/Documents $USER@$DEST:$PATH  

Here we schedule grabbing the user‘s docs to a NAS nightly via crontab.

Centralized sys/app log aggregation



scp alpha:/var/log/syslog $LOGHOST:$LOGDIR/
scp beta:/var/log/httpd  $LOGHOST:$LOGDIR/  

# ...and so on for all hosts

Helpful for feeding logs to central dashboarding/analysis tools.

These simple examples demonstrate SCP‘s role in enabling all kinds of workflow automation – reporting, auditing, system configuration updates and more.

Now let‘s tackle resolving those pesky connectivity failures…

Troubleshooting Common SCP Issues

Of course even the best digital plans sometimes go sideways thanks to networks!

Frequent SCP errors include:

  • Operation timed out – Firewalls blocking SSH
  • No route to host – DNS resolution problems
  • Permission denied – Bad credentials/file modes
  • Invalid argument – Problematic filenames

So how do we diagnose and fix problems?

First enable verbose debugging with -v to clue into the failure point:

scp -v files user@host:/path

From here inspect configurations more closely…

  • Networking – Test connectivity, trace routing, analyze firewall rules
  • Authentication – Validate account settings on both endpoints
  • Filesystem – Check target directory permissions

Meticulously working through breadcrumbs typically uncovers the culprit!

For intermittent issues, raise SSH LogLevel in sshd_config and enable syslog logging. Historical context answers persistence problems.

While chasing down poor connections tests patience, methodically reviewing transport, permissions, and firewalling ultimately highlights the gremlins.

Now let‘s wrap with some SCP security best practices…

Keeping SCP Secure In Transit

While SCP transparently handles encryption, additional care around access control, transfer behaviors, and endpoint security proves vital:

  • Require SSH keys for auth instead of passwords
  • Use SSH bastion hosts to limit direct production server exposure
  • Disable TCP forwarding in sshd to prevent tunnel escapes
  • Store private keys outside personal user accounts with strict controls
  • Scan copied files closely before use to detect tampering

With thoughtful configuration SCP continues safely moving data for years to come!

Now over to you – what lessons have you learned around advanced SCP usage? What problems or hurdles have you encountered? I‘d love to hear your tips in the comments!