How SCP Works
SCP works by opening an SSH connection to the remote host, authenticating exactly as a normal SSH login would, and then spawning an scp process on the remote side. The local client and the remote process communicate through the SSH-encrypted channel, streaming file data from source to destination. Because SCP piggybacks on SSH, it uses the same port (22), the same authentication mechanisms, and the same encryption algorithms — no separate configuration is needed if SSH already works.
The original SCP protocol was modeled closely on rcp, the BSD remote copy tool, which itself was a variant of cp for networked use. This heritage meant SCP inherited some of rcp's assumptions about trust between systems — assumptions that turned out to be security problems decades later.
Basic SCP Syntax
The SCP command follows the pattern scp source destination, where either source or destination (or both) can be a remote path in the form user@host:/path. To copy a local file to a remote server: scp report.pdf alice@server.example.com:/home/alice/docs/. To copy a file from a remote server to the current local directory: scp alice@server.example.com:/home/alice/docs/report.pdf ./. To copy between two remote servers directly: scp user1@host1:/data/file.tar.gz user2@host2:/backup/.
Useful flags: -r copies a directory recursively; -P (capital P) specifies a non-standard SSH port; -i specifies a private key file; -C enables SSH-level compression (useful on slow links for compressible data); -q suppresses the progress meter and non-error messages.
SCP Protocol Versions
There are effectively two generations of the scp command. The legacy SCP protocol (sometimes called SCPv1) was the original implementation based on rcp. It was the only version available for decades and remained the default in OpenSSH through version 8.x.
In OpenSSH 9.0 (released April 2022), the project deprecated the legacy SCP protocol and switched the scp command to use the SFTP protocol internally by default. The -O flag restores the old behavior for compatibility with servers that do not support SFTP. This change was transparent to most users — the command syntax stayed the same — but it addressed the security vulnerabilities inherent in the legacy protocol.
Why OpenSSH Deprecated the Legacy SCP Protocol
The legacy SCP protocol had a fundamental security problem: the receiving side had significant influence over what was written and where. A malicious server could respond to a file request by sending a file with a different name, writing to a different path, or setting unexpected file permissions — and the client would accept it. This is because the legacy protocol used a simple stream of file metadata and data without cryptographic verification that the received filename matched what was requested.
Multiple CVEs were filed against SCP clients over the years exploiting this trust model. The SFTP protocol used by the replacement does not have this problem: each operation is explicitly requested by the client and the server responds to that specific request. The switch to SFTP under the hood made scp behave safely without requiring users to change their commands.
SCP Limitations
SCP is intentionally simple, and that simplicity comes with real constraints. There is no resume capability — if a transfer is interrupted halfway through, you must start over from the beginning. There is no interactive mode — SCP is a one-shot command, not a session you can browse. There is no synchronization — SCP copies everything you specify regardless of whether the destination already has an up-to-date copy. There is no delta transfer — even if only 1% of a large file changed, SCP copies the entire file.
For transferring many small files, SCP has overhead that adds up: each file requires its own set of protocol messages. rsync over SSH is dramatically faster in this scenario because it can batch operations efficiently and skip files that have not changed.
SSH Key Authentication with SCP
SCP uses the exact same key infrastructure as SSH. If you have already set up SSH key authentication for a host — private key in ~/.ssh/, public key in the remote ~/.ssh/authorized_keys — then SCP to that host will use your key automatically. No additional setup is required. If your key has a passphrase, ssh-agent can hold the decrypted key in memory so you are not prompted on every transfer. For automated scripts, a key pair with no passphrase (restricted by IP address or command= in authorized_keys for security) is the standard approach.
SCP Performance
For copying a single large file, SCP is fast. It streams the file directly through the SSH channel with minimal protocol overhead, and SSH-level compression (-C) can help on low-bandwidth or high-latency links if the data is compressible. The bottleneck is almost always network bandwidth or disk I/O rather than SCP's own overhead.
Performance degrades when copying many small files. Each file incurs SSH protocol overhead — framing, message authentication codes, acknowledgments — that is proportionally expensive for tiny files. In benchmarks, rsync over SSH can be 10x faster than SCP for directories containing thousands of small files because it batches operations and skips unchanged files entirely.
SCP vs SFTP vs rsync
| Feature | SCP | SFTP | rsync over SSH |
|---|---|---|---|
| Protocol | SSH (SFTP internally since OpenSSH 9.0) | SSH-2 subsystem | SSH (rsync process) |
| Resumable transfers | No | Client-dependent | Yes |
| Sync mode | No | No | Yes (skip unchanged files) |
| Interactive browsing | No | Yes | No |
| Best for | Quick one-off file copy | Interactive or scripted batch transfers | Directory sync, backups, delta transfers |
| Performance on many small files | Poor | Moderate | Excellent |
| Encryption | Full SSH encryption | Full SSH encryption | Full SSH encryption |
Frequently Asked Questions
What port does SCP use?
SCP uses TCP port 22, the same port as SSH. SCP establishes an SSH connection first and then uses that encrypted channel to transfer files — no additional ports are needed. Any firewall rule that permits SSH also permits SCP.
Is SCP secure?
SCP uses SSH for both authentication and encryption, so file contents and credentials are protected from eavesdropping. However, the legacy SCP protocol (used before OpenSSH 9.0) had documented security vulnerabilities: a malicious server could manipulate filenames and permissions during a transfer without the client detecting it. OpenSSH 9.0 addressed this by switching the scp command to use the SFTP protocol internally, which does not have the same vulnerabilities.
How do I copy a file with SCP?
To copy a local file to a remote host, run: scp localfile user@host:/remote/path/. To copy from remote to local: scp user@host:/remote/path/file ./local/. To copy between two remote hosts: scp user1@host1:/path/file user2@host2:/path/. Add the -r flag to copy entire directories recursively. Add -P portnumber (capital P) to use a non-standard SSH port.
Can SCP copy entire directories?
Yes, using the -r flag: scp -r localdir user@host:/remote/path/ copies the entire directory tree recursively. However, for large directory trees with many small files, rsync over SSH is significantly more efficient because it only transfers files that have changed, whereas SCP always copies everything regardless of whether the destination already has an up-to-date copy.
Why did OpenSSH deprecate the old SCP protocol?
The legacy SCP protocol was based on the old rcp (remote copy) protocol from the rsh era. It had a fundamental design flaw: the receiving side had significant control over what files were written and where, allowing a malicious server to write files to unexpected locations, alter filenames, or change file permissions without the client's knowledge. OpenSSH 9.0 (released 2022) deprecated this protocol and made the scp command use SFTP under the hood, which does not have these vulnerabilities.
When should I use rsync instead of SCP?
Use rsync over SSH (rsync -avz -e ssh source/ user@host:/dest/) when you need to synchronize directories rather than copy individual files, when you want to skip files that have not changed, when you need resumable transfers, or when transferring many small files. Use SCP for simple one-off copies of single files where simplicity matters more than efficiency.