How To Install SFTPGo on Debian 13

Secure file transfer remains a critical requirement for modern server infrastructure, especially as organizations move away from outdated FTP protocols. SFTPGo has emerged as a powerful, feature-rich alternative that addresses the security limitations of traditional file transfer servers while delivering enterprise-grade capabilities through an intuitive interface. This comprehensive guide walks you through installing and configuring SFTPGo on Debian 13 “Trixie,” equipping you with the knowledge to deploy a production-ready secure file transfer solution.

Whether you manage client file drop zones, automated backup systems, or DevOps artifact distribution, SFTPGo offers the flexibility and security modern workflows demand. Let’s explore how to harness this powerful tool on your Debian 13 server.

What Is SFTPGo? Key Features and Use Cases

SFTPGo is an open-source, fully-featured file transfer server that supports SFTP, FTP/S, and WebDAV protocols through a unified platform. Unlike traditional single-protocol servers, SFTPGo provides administrators with a centralized management interface—including both a web-based admin UI and REST API—making it ideal for automation and scalability.

The architecture revolves around a daemon service that reads configuration from files or environment variables. It supports multiple storage backends, including local filesystem, AWS S3, Google Cloud Storage, Azure Blob Storage, and S3-compatible providers. This flexibility allows you to design file transfer workflows that integrate seamlessly with your existing infrastructure.

Core features that distinguish SFTPGo include per-user and per-folder quotas, bandwidth throttling, data-at-rest encryption, and comprehensive event hooks for custom automation. The virtual user system eliminates the need to create system accounts for every file transfer user, significantly improving security by isolating file access from shell access.

Common deployment scenarios include secure file exchange portals for clients, centralized backup repositories with quota enforcement, CI/CD artifact distribution with role-based access control, and multi-protocol file access for diverse client environments. System administrators appreciate the granular permission model and the ability to configure chroot environments without complex SSH configurations.

Why Use SFTPGo on Debian 13?

Debian 13 “Trixie” provides a stable, well-maintained foundation for server deployments, making it an excellent choice for hosting SFTPGo. When compared to legacy FTP servers like vsftpd or pure-ftpd, SFTPGo delivers encryption by default, eliminating the security vulnerabilities inherent in plain FTP protocols.

The primary advantage lies in unified management. Traditional approaches often require separate configurations for SFTP (via OpenSSH), FTP, and WebDAV services. SFTPGo consolidates these protocols into a single service with consistent user management, reducing administrative overhead and potential configuration conflicts.

Security practitioners favor SFTPGo because it separates file transfer access from shell access. Exposing SSH accounts directly to external users creates unnecessary attack surface—if credentials are compromised, attackers gain shell access to your server. SFTPGo’s virtual user system provides auditable, protocol-specific credentials that never touch the underlying operating system’s authentication mechanisms.

Firewall management becomes significantly simpler with SFTPGo. While FTP requires opening complex port ranges for passive mode, SFTP operates over a single port. This streamlined approach reduces firewall rule complexity and minimizes potential security gaps in your network perimeter.

Prerequisites and System Requirements

Before beginning the installation, ensure your Debian 13 environment meets these requirements. You’ll need a fresh or existing Debian 13 “Trixie” server with root or sudo privileges and a stable internet connection for downloading packages.

Basic command-line proficiency is essential, as most configuration happens through terminal commands. You should be comfortable navigating the Linux filesystem, editing configuration files, and managing systemd services. SSH access to your server is required for remote administration.

For small to medium deployments, minimal hardware suffices: a single vCPU, 1-2 GB of RAM, and adequate storage for your file transfer needs will handle dozens of concurrent users. High-traffic environments or those utilizing object storage backends may require additional resources—monitor performance after deployment and scale accordingly.

Security considerations include ensuring your system packages are current and that time synchronization is configured properly via NTP or chrony. Accurate system time is critical for TLS certificate validation and log integrity. Additionally, you should have firewall management capabilities, whether through UFW, nftables, or iptables, to control network access to SFTPGo services.

Update Debian 13 and Install Base Packages

Starting with a fully updated system prevents compatibility issues and ensures you have the latest security patches. Debian’s package management system makes this straightforward.

Begin by updating your package lists and upgrading installed packages:

sudo apt update && sudo apt upgrade -y

This command refreshes the package index from all configured repositories and upgrades any outdated packages to their latest versions. The -y flag automatically confirms the upgrade process, though you may prefer to review changes manually in production environments.

Next, install essential tools required for managing third-party repositories and secure downloads:

sudo apt install -y curl gnupg ca-certificates lsb-release

These packages serve specific purposes: curl facilitates downloading repository keys and files, gnupg handles GPG signature verification, ca-certificates ensures proper HTTPS certificate validation, and lsb-release provides system information needed for repository configuration.

Verify your Debian release codename with:

lsb_release -c -s

This should return “trixie” for Debian 13. You’ll use this codename when adding the SFTPGo repository to ensure you receive packages built for your specific Debian version.

SFTPGo Installation Methods Overview

SFTPGo offers multiple installation approaches to accommodate different deployment scenarios and administrative preferences. The primary methods include the official APT repository, direct .deb package installation, and building from source code.

The APT repository method provides the most maintainable long-term solution. Once configured, regular apt update && apt upgrade commands will automatically fetch and install SFTPGo updates alongside your other system packages. This approach integrates seamlessly with Debian’s package management ecosystem.

Downloading official .deb packages from GitHub releases offers flexibility for testing pre-release versions or when you prefer not to add additional repositories to your system. However, you’ll need to manually check for and install updates, making this method more suitable for development or testing environments.

Building from source using Go provides maximum control and is ideal for customization or contributing to SFTPGo development. This approach requires more expertise and ongoing maintenance but allows you to compile specific branches or apply custom patches.

This guide focuses primarily on the APT repository method for Debian 13, as it balances ease of installation with maintainability for production deployments.

Method 1: Install SFTPGo from Official APT Repository

The official APT repository hosted by SFTPGo provides signed packages that integrate cleanly with Debian’s package management system. This method offers automatic updates and dependency resolution.

Import SFTPGo GPG Key

Package signing via GPG keys ensures that the software you install hasn’t been tampered with and originates from the legitimate SFTPGo project. Verifying signatures protects against supply chain attacks and corrupted downloads.

Import the official SFTPGo repository key into your system’s trusted keyring:

curl -sS https://ftp.osuosl.org/pub/sftpgo/apt/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/sftpgo-archive-keyring.gpg

This command downloads the GPG key and converts it to the binary format expected by modern APT, storing it in the system-wide keyring directory. The -sS flags for curl enable silent mode while still displaying errors if the download fails.

Add SFTPGo APT Repository for Debian 13

With the signing key in place, configure the SFTPGo repository in your APT sources. First, capture your Debian codename:

CODENAME=$(lsb_release -c -s)

Then add the repository configuration:

echo "deb [signed-by=/usr/share/keyrings/sftpgo-archive-keyring.gpg] https://ftp.osuosl.org/pub/sftpgo/apt ${CODENAME} main" | sudo tee /etc/apt/sources.list.d/sftpgo.list

This creates a dedicated source list file for SFTPGo, keeping it separate from your main sources configuration. The [signed-by=...] directive tells APT which key to use for package verification, enhancing security by preventing key ambiguity.

Note that as Debian 13 “Trixie” is relatively new, verify official SFTPGo documentation for explicit Trixie support confirmation. The repository structure typically supports new Debian releases shortly after their stable release.

Update Package Index and Install SFTPGo

Refresh your package lists to include the newly added SFTPGo repository:

sudo apt update

Now install SFTPGo:

sudo apt install -y sftpgo

The package manager will download SFTPGo along with any required dependencies, install the daemon binary to /usr/bin/sftpgo, place configuration files under /etc/sftpgo/, and set up a systemd service unit for process management.

Verify the installation by checking the SFTPGo version:

sftpgo --version

This confirms that the binary is properly installed and accessible in your system PATH. The version output also helps when troubleshooting or consulting documentation for version-specific features.

Manage SFTPGo Service with systemd

Debian 13 uses systemd as its init system, providing robust service management capabilities. Start the SFTPGo service:

sudo systemctl start sftpgo

Enable automatic startup on system boot:

sudo systemctl enable sftpgo

Check the service status to ensure it’s running correctly:

sudo systemctl status sftpgo

You should see output indicating the service is “active (running)” with recent log entries. If the service fails to start, examine the logs for diagnostic information:

journalctl -u sftpgo -e

The -e flag jumps to the end of the log, showing the most recent entries where error messages typically appear. Common startup issues include configuration syntax errors or port conflicts with existing services.

By default, SFTPGo listens on port 2022 for SFTP connections and port 8080 for the web administration interface, though these ports are configurable in the main configuration file.

Method 2: Install SFTPGo Using Official .deb Package

Direct .deb package installation offers an alternative when you prefer not to add the APT repository or need to test specific release versions. This method downloads the package file directly from GitHub.

Determine the latest SFTPGo release version. You can check manually at the GitHub releases page, or use this command to fetch it programmatically:

VER=$(curl -s https://api.github.com/repos/drakkan/sftpgo/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')

This extracts the version tag from the GitHub API response, removing the leading “v” to match the package naming convention.

Download the appropriate .deb package for AMD64 architecture:

wget https://github.com/drakkan/sftpgo/releases/download/v$VER/sftpgo_$VER-1_amd64.deb

Install the package using APT, which handles dependency resolution:

sudo apt install ./sftpgo_$VER-1_amd64.deb

Alternatively, use dpkg directly, though you may need to resolve dependencies manually:

sudo dpkg -i sftpgo_$VER-1_amd64.deb
sudo apt -f install

The second command fixes any missing dependencies. After installation, manage the service using the same systemd commands described in Method 1.

While this approach works well for one-time installations or testing, the repository method remains preferable for production servers due to simplified update management.

Optional: Install SFTPGo from Source

Building SFTPGo from source code appeals to advanced users who need bleeding-edge features, custom modifications, or wish to contribute to development. This method requires the Go programming language compiler.

Install Go and build dependencies:

sudo apt install golang sqlite3 git build-essential

Clone the SFTPGo repository:

git clone https://github.com/drakkan/sftpgo.git
cd sftpgo

Build the project according to the repository’s instructions, which typically involve:

go build -o sftpgo

Or use the provided Makefile for a release build with optimizations. Consult the official repository’s README and build documentation for detailed, version-specific instructions.

Source builds require manual service configuration, as you won’t get systemd unit files automatically. Most administrators find packaged installations more practical for production use, reserving source builds for development environments.

Understanding SFTPGo Configuration Files and Directories

SFTPGo’s behavior is controlled through configuration files and runtime directories that the Debian package creates automatically. The primary configuration file resides at /etc/sftpgo/sftpgo.json or /etc/sftpgo/sftpgo.yml, depending on your installation version and preferences.

This configuration file defines listeners for each protocol (SFTP, FTP/S, WebDAV), storage backend settings, user authentication mechanisms, and administrative interface parameters. The JSON or YAML format allows for structured, hierarchical configuration that scales from simple deployments to complex multi-protocol setups.

Runtime data directories include /var/lib/sftpgo for application data such as user databases when using the built-in provider, and /var/log/sftpgo for log files if file-based logging is enabled. Many administrators prefer systemd journal logging, which integrates seamlessly with journalctl.

SFTPGo supports multiple storage backends beyond the local filesystem. You can configure S3-compatible object storage, Google Cloud Storage, Azure Blob Storage, or encrypted local storage depending on your infrastructure requirements. Each backend type has specific configuration parameters defined in the main configuration file.

The virtual user system separates file transfer users from system accounts. Users defined in SFTPGo’s database or configuration exist only within the SFTPGo application context, with their own home directories, permissions, and protocol access controls.

Initial SFTPGo Service Verification on Debian 13

After installation, verify that SFTPGo is running and accessible. Check the systemd service status:

sudo systemctl status sftpgo

Look for “active (running)” status. The status output includes recent log entries that can reveal configuration issues or successful startup messages.

Verify network listeners using socket statistics:

ss -tulpn | grep sftpgo

Or with netstat if you prefer the traditional tool:

sudo netstat -tulpn | grep sftpgo

You should see SFTPGo listening on the configured ports—typically 2022 for SFTP and 8080 for the web UI. If ports aren’t bound, examine logs for configuration errors or port conflicts with other services.

Access the web administration interface by opening a browser and navigating to http://your-server-ip:8080 (adjust the port if you’ve customized the configuration). The initial setup may require creating an administrator account, or you might need to consult the documentation for default credentials, which should be changed immediately for security.

Test basic SFTP connectivity once you’ve configured a user (covered in the next section):

sftp -P 2022 username@your-server-ip

Replace the port, username, and server IP with your actual values. Successful authentication confirms that SFTPGo is properly receiving and processing SFTP connections.

Basic SFTPGo Configuration: User and Storage Setup

Configuring your first user transforms SFTPGo from an installed service into a functional file transfer system. This section covers directory preparation and user creation for a basic local filesystem deployment.

Create Directories and System Users

While SFTPGo’s virtual users don’t require system accounts, you should create dedicated directories with appropriate ownership for secure file storage. Create a base directory structure:

sudo mkdir -p /srv/sftpgo/users
sudo chown -R sftpgo:sftpgo /srv/sftpgo
sudo chmod 755 /srv/sftpgo

These commands establish a dedicated storage location outside the home directory structure, with ownership assigned to the sftpgo service user created by the package installation. Setting restrictive permissions ensures that only SFTPGo can access these directories.

For multi-user environments, create subdirectories for each user:

sudo mkdir -p /srv/sftpgo/users/testuser
sudo chown sftpgo:sftpgo /srv/sftpgo/users/testuser
sudo chmod 750 /srv/sftpgo/users/testuser

This directory will serve as the home directory and chroot environment for the user.

Configure a Simple Local User in SFTPGo

User configuration can happen through the web UI or by editing configuration files directly. Using the web interface provides a more intuitive experience, especially when learning SFTPGo’s permission model.

Navigate to the web admin interface and create a new user with these essential settings:

• Username: A unique identifier for the user (e.g., “testuser”)
• Password or Public Key: Authentication credentials—passwords are simpler initially, but SSH public keys offer better security
• Home Directory: /srv/sftpgo/users/testuser (the directory you created earlier)
• Permissions: Select allowed operations—upload, download, delete, rename, create directories, etc.
• Status: Active

Advanced options include:

• Quota Size: Maximum storage allocation for the user’s files
• Bandwidth Limits: Upload and download rate restrictions
• Allowed IP: Whitelist specific IP addresses or ranges
• Protocols: Enable or disable SFTP, FTP/S, or WebDAV per user

After creating the user, test access:

sftp -P 2022 testuser@your-server-ip

Enter the password when prompted. A successful connection drops you into an SFTP session where you can test file operations:

sftp> pwd
sftp> ls
sftp> put local-file.txt
sftp> get remote-file.txt
sftp> quit

This confirms that your user is properly configured and SFTPGo is functioning correctly.

Securing SFTPGo on Debian 13

Security hardening protects your file transfer service from unauthorized access and ensures data confidentiality during transit.

Configure Firewall Rules

Debian 13 supports multiple firewall management tools. If using UFW, allow the necessary ports:

sudo ufw allow 2022/tcp comment 'SFTPGo SFTP'
sudo ufw allow 8080/tcp comment 'SFTPGo Web UI'

Adjust port numbers to match your configuration. For production environments, consider restricting web UI access to specific IP ranges:

sudo ufw allow from 192.168.1.0/24 to any port 8080 proto tcp

If using nftables (Debian 13’s default), add rules to your existing ruleset. Create or edit /etc/nftables.conf:

table inet filter {
    chain input {
        tcp dport 2022 accept comment "SFTPGo SFTP"
        tcp dport 8080 accept comment "SFTPGo Web UI"
    }
}

Reload nftables after editing:

sudo nft -f /etc/nftables.conf

Never expose administrative interfaces to the public internet without additional protection like VPN access or IP whitelisting.

Enable TLS for Web UI

Transmitting administrative credentials over HTTP exposes them to interception. Enable HTTPS by obtaining a TLS certificate.

For production deployments, use Let’s Encrypt certificates via a reverse proxy like Nginx or Apache. This approach provides SSL termination, rate limiting, and additional security layers.

Install Nginx:

sudo apt install nginx certbot python3-certbot-nginx

Configure a reverse proxy in /etc/nginx/sites-available/sftpgo:

server {
    listen 80;
    server_name sftpgo.yourdomain.com;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site and obtain a certificate:

sudo ln -s /etc/nginx/sites-available/sftpgo /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
sudo certbot --nginx -d sftpgo.yourdomain.com

Certbot automatically configures HTTPS and certificate renewal. Access the web UI via https://sftpgo.yourdomain.com instead of the IP and port.

Testing SFTPGo: SFTP, FTP, and WebDAV Access

Comprehensive testing validates that all enabled protocols function correctly across different client types.

For SFTP access, use the command-line client or GUI tools like FileZilla or WinSCP:

sftp -P 2022 testuser@your-server-ip

Perform real-world operations:

sftp> put /path/to/local/file.txt
sftp> ls -la
sftp> mkdir testdir
sftp> cd testdir
sftp> get remote-file.txt

These commands test upload, directory listing, directory creation, navigation, and download operations.

If you’ve enabled FTP or FTPS protocols in SFTPGo, test with an FTP client. Many administrators prefer FTPS (FTP over TLS) for clients that don’t support SFTP. Configure FileZilla or another client with:

• Protocol: FTPS (Explicit TLS)
• Host: your-server-ip
• Port: 21 (or your configured FTP port)
• Username and password: Your SFTPGo virtual user credentials

SFTPGo treats FTP and SFTP users identically—the same virtual users can authenticate via multiple protocols simultaneously.

WebDAV support enables mounting SFTPGo directories as network drives in Windows, macOS, and Linux. Test WebDAV access using a WebDAV-capable file manager or the davfs2 mount utility on Linux:

sudo apt install davfs2
sudo mount -t davfs http://your-server-ip:webdav-port /mnt/sftpgo

Enter your SFTPGo username and password when prompted. Files appear as a mounted filesystem, providing familiar file operations through your OS file manager.

Common Issues and Troubleshooting on Debian 13

Understanding common problems accelerates issue resolution and minimizes downtime during deployment.

GPG Key Import Failures: If adding the repository key fails, verify internet connectivity and check for proxy configurations that might intercept the download. Ensure the keyring directory exists: sudo mkdir -p /usr/share/keyrings

Repository Addition Errors: If APT complains about the repository format, verify that the signed-by path matches where you stored the GPG key. Double-check the codename variable matches your Debian version.

Service Start Failures: When systemd can’t start SFTPGo, examine logs immediately: journalctl -u sftpgo -n 50. Common causes include syntax errors in configuration files, port conflicts with existing services, or permission issues on data directories.

Connection Timeouts: If clients can’t connect to SFTPGo, verify firewall rules first: sudo ufw status or check nftables rules. Ensure the service is listening on expected interfaces with ss -tulpn | grep sftpgo. Router or cloud security group configurations may also block traffic.

Authentication Failures: Users receiving “permission denied” errors should verify credentials match exactly what’s configured in SFTPGo. Check that the user status is “Active” and protocols are enabled for that user. Review logs for specific authentication error details.

File Permission Issues: If users can authenticate but can’t write files, verify that SFTPGo’s service user has write permissions to the home directories. Check permissions with ls -la /srv/sftpgo/users/ and adjust with chown and chmod as needed.

Best Practices and Maintenance for SFTPGo on Debian 13

Ongoing maintenance ensures reliability and security throughout your SFTPGo deployment’s lifecycle.

Keep your Debian 13 system updated with regular security patches: sudo apt update && sudo apt upgrade weekly or enable unattended-upgrades for automatic security updates. SFTPGo updates flow through the APT repository seamlessly.

Implement regular backups of critical components. Back up /etc/sftpgo/ for configuration preservation and any SQLite databases if using the built-in data provider. Automate backups with cron jobs that copy these files to remote storage:

0 2 * * * tar czf /backup/sftpgo-config-$(date +\%Y\%m\%d).tar.gz /etc/sftpgo

Monitor disk usage for user quotas and adjust allocations as requirements change. SFTPGo’s REST API enables automated monitoring integration with tools like Prometheus.

Review access logs regularly for unusual patterns—multiple failed authentication attempts, unexpected IP addresses, or off-hours access that doesn’t match expected usage. Enable detailed logging in SFTPGo configuration for comprehensive audit trails.

Implement least-privilege principles: create users with only the permissions and protocols they specifically require. Disable unused protocols globally if your environment doesn’t need them.

Rotate passwords or SSH keys periodically, especially for accounts with elevated privileges or those accessed from unsecured networks. Consider implementing two-factor authentication through external authentication providers for high-security environments.

Congratulations! You have successfully installed SFTPGo. Thanks for using this tutorial for installing SFTPGo on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official SFTPGo website.