Prerequisites
- By default, SFTP uses keypair authentication for access. You will need a provided
public keyto configure your destination. It will look roughly like this:
Create a user on the SFTP server
- Create group
sftpwriter:
- Create user
sftpwriter:
- Switch to the
sftpwriteruser:
- Create the
.sshdirectory:
- Set permissions:
- Navigate to the
.sshdirectory:
- Create the
authorized_keysfile:
- Set permissions:
- Add the public key to the
authorized_keysfile. The key, including the “ssh-key” and comment, should be all on one line in the file, without linebreaks.
Add your destination
<folder>, this destination writes per-transfer manifest files under a _manifests/ directory created at the root of the SFTP home/path. Ensure the SFTP user can create and write to _manifests at that root (even if your data lands under a subfolder). Manifests allow downstream systems to detect when a transfer is complete. See the FAQ below for how these files are organized._test_connection/ (located at either the SFTP root, or inside the custom folder prefix configured on the destination, if present).If the SFTP user does not have permission to delete files, the connection test will still succeed, but these test files will remain on your SFTP server. To avoid clutter, you can optionally configure a custom periodic script (such as a cron job running on your SFTP host) to delete files/directories matching the _test_connection/ prefix (or <your_folder>/_test_connection/ if a custom folder was configured), or delete them manually.-----BEGIN PGP PUBLIC KEY BLOCK-----, and ending with the tail line -----END PGP PUBLIC KEY BLOCK-----. For security reasons, only RSA and ECC keys are supported. RSA keys must have a key size of 2,048 bits or more.If PGP encryption is enabled, both the manifest files and landed data will be encrypted in the PGP binary format. They will have an additional .pgp file extension appended to their filename. For example, encrypted CSV files will have filenames like your_data.csv.pgp.It is not possible to enable or disable the PGP encryption settings of an existing destination. You must create a new destination from scratch with the new PGP configuration.Permissions checklist
- SFTP user created with SSH key-based authentication.
- Provided public key added to
~/.ssh/authorized_keysfor the SFTP user. - SFTP user has write access to the configured folder.
- SFTP user can create and write to
_manifests/at the SFTP home/path root. - Firewall or network perimeter allows the service’s egress IP to connect on port 22.
- (If using PGP encryption) PGP public key in ASCII armored format is ready to provide during destination configuration. RSA keys must be 2,048 bits or larger.
Frequently asked questions
How will the data appear in my SFTP server?
How will the data appear in my SFTP server?
Parquet, CSV, or JSON/JSONL) in a predictable folder structure that can be easily parsed by downstream systems.How is the SFTP connection secured?
How is the SFTP connection secured?
What file formats are supported?
What file formats are supported?
Parquet (default/recommended), CSV, and JSON/JSONL.How do I know when a transfer completed?
How do I know when a transfer completed?
_manifests/ at the root. Files follow the pattern: _manifests/<model_name>/dt=<transfer_date>/manifest_{transfer_id}.json. Use these manifests to trigger downstream processing.Why do I sometimes see duplicates?
Why do I sometimes see duplicates?
Can I provide my own public key? Where is the private key stored?
Can I provide my own public key? Where is the private key stored?
Can I provide my own PGP public key?
Can I provide my own PGP public key?
Is this PGP public key an alternative to the SSH/SFTP public key?
Is this PGP public key an alternative to the SSH/SFTP public key?
When exactly does the PGP encryption occur, when enabled?
When exactly does the PGP encryption occur, when enabled?
Will the PGP-encrypted files be generated in the armored (ASCII) format, or in binary?
Will the PGP-encrypted files be generated in the armored (ASCII) format, or in binary?
Are manifest files also encrypted, or only the landed data?
Are manifest files also encrypted, or only the landed data?
Are there any constraints on the PGP public keys?
Are there any constraints on the PGP public keys?