Skip to main content

Connecting SFTP

This guide walks you through connecting an SFTP storage destination to Pluton.

Prerequisites

Before connecting SFTP, you need:

  1. An SSH/SFTP server that is accessible from your Pluton instance
  2. SSH credentials — either a password, a PEM-encoded private key, or an ssh-agent configured on the host
  3. The server's hostname (or IP address) and SSH port (default is 22)
  4. A user account on the remote server with read/write access to the target directory

Getting Your SFTP Credentials

SFTP runs over SSH v2 and supports three authentication methods. Choose the one that fits your setup.

Option A: Password Authentication

  1. Obtain the username and password for your SSH server
  2. Verify you can connect manually: ssh [email protected]
  3. Note the hostname and port (default 22)

Option B: Key-Based Authentication

  1. Generate an SSH key pair if you don't have one: 
    ssh-keygen -t ed25519 -C "pluton-backup"
  2. Copy the public key to your server: 
    ssh-copy-id [email protected]
  3. Note the path to your private key file (e.g., ~/.ssh/id_ed25519) — the key must be in PEM format
  4. If your key has a passphrase, keep it handy

Option C: SSH Agent

  1. Ensure your SSH agent is running and your key is loaded: 
    eval "$(ssh-agent -s)"
    ssh-add ~/.ssh/id_ed25519
  2. The Pluton agent will use the ssh-agent on the host machine to authenticate

Connecting to Pluton

Step 1: Add Storage

  1. In Pluton, navigate to Storages
  2. Click Add Storage button
  3. Select SFTP from the provider list

Step 2: Configure Connection

Fill in the required fields:

  • Storage Name: A friendly name (e.g., "Office NAS SFTP")
  • SSH Host: The hostname or IP address of your SFTP server (e.g., nas.example.com or 192.168.1.100)
  • SSH Username: Your SSH login username
  • SSH Port: The SSH port (default 22)
  • SSH Password: Your SSH password — leave blank if using key-based or ssh-agent authentication

Step 3: Advanced Options (Optional)

Additional settings available for key-based and advanced configurations:

  • PEM-Encoded Private Key: Paste the raw contents of your PEM-encoded private key directly
  • Private Key File: Path to a PEM-encoded private key file on the Pluton agent's host (e.g., /home/user/.ssh/id_ed25519)
  • Private Key Passphrase: Passphrase to decrypt your private key file, if it is encrypted
  • SSH Public Certificate: Raw SSH public certificate for certificate-based authentication
  • Public Key File: Path to a public key file for certificate-based authentication
  • Use SSH Agent: Forces the use of the ssh-agent running on the Pluton agent's host
  • Allow Insecure Ciphers: Enable legacy or insecure ciphers for older SSH servers
  • Disable Hash Check: Disable the execution of SSH commands used for hash checking (useful if the remote server restricts command execution)

Step 4: Test and Save

  1. Click Test Connection to verify your credentials and connectivity
  2. If successful, click Save
  3. Your SFTP storage is now ready for backup plans

Common Issues

Connection Refused: Ensure the SSH service is running on the remote server and that the correct port is specified. Check that firewalls or security groups allow inbound connections on the SSH port.

Authentication Failure: Double-check your username and password, or verify that your private key is in PEM format and the correct passphrase is provided. If using ssh-agent, confirm the key is loaded with ssh-add -l.

Permission Denied: Verify that the SSH user has read and write permissions to the target directory on the remote server.

Host Key Verification: On first connection, the remote server's host key must be accepted. If Pluton cannot verify the host key automatically, try connecting once manually via SSH from the Pluton agent's host to accept the key.

Timeout Errors: Check network connectivity between the Pluton agent and the SFTP server. Ensure there are no NAT or routing issues, especially if the server is on a different network.

Best Practices

  • Use key-based authentication instead of passwords for stronger security and easier automation
  • Restrict the SSH user's permissions to only the directories needed for backups
  • Use a dedicated user account for Pluton backups rather than a personal or root account
  • Keep your SSH port non-default (e.g., 2222) if the server is exposed to the internet, to reduce automated scanning
  • Protect private keys with a passphrase and store them securely on the Pluton agent's host
  • Test connectivity from the Pluton agent's host before configuring the storage in Pluton to catch network issues early