• sudo sftpgatewaysetup: Initial setup for SFTP Gateway
  • sudo sftpgatewaysetup --bucket your-s3-bucket-name: Specify the name of your default bucket
  • sudo addsftpuser <user>: Creates and configures a user
  • sudo deletesftpuser <username>: Deletes a user
  • sudo sftpgw update: Updates to the latest version
  • sudo sftpgw reset <user>: Resets a user
  • sudo sftpgw version: Shows the version

Linux command line SFTP client

  • ssh -i <private.key> ec2-user@<IP address>: login to EC2 instance
  • sftp -i <private.key> <user>@<IP address>: login to SFTP Gateway client
  • ls: remote directory listing
  • cd <directory>: remote change directory
  • pwd: remote print current directory
  • put: upload file from current local directory to current remote directory
  • lls: local directory listing
  • lcd <directory>: local change directory
  • lpwd: local print current directory

Troubleshooting reference

  • sudo incrontab -l: Outputs list of directories that upload to S3
  • sudo df -h: Available disk space on the EC2 instance
  • /home/<user>/.ssh/authorized_keys: Public keys for authorized SFTP users
  • ssh-keygen -t rsa -C test.key -f test.key -q -N "": Generates a public and private key
  • /etc/init.d/incrond restart: Restarts the incrond service


Paths accessible to the SFTP user

  • /home/<user>/home/<user>/downloads/: S3 download files sync to this directory
  • /home/<user>/home/<user>/local/: Writeable by SFTP user. Files in this location remain local to the server.
  • /home/<user>/home/<user>/shared/: S3 shared files sync to this directory
  • /home/<user>/home/<user>/uploads/: Writeable by the SFTP user. Forwards files to S3.

Properties files

  • /home/ec2-user/.sftpgateway/ Contains global properties
  • /home/<user>/.sftpgateway/ Contains user specific properties
  • /home/ec2-user/.sftpgateway/sftpgateway.sync: Configures shared download location


  • /var/log/movetos3/movetos3.log: Logs file uploads to S3
  • /var/log/movetos3/s3sync.log: Logs download sync activity
  • /var/log/secure: Logs SFTP logins and failures

User SSH keys

  • /opt/sftpgw/keys: Keys are stashed here, in case the email doesn’t go through
  • /home/user/home/user/.ssh/authorized_keys: Public keys are appended to this file for user authentication

Using SSE-C for decrypting private downloads

  • /home/<user>/.sftpgateway/ Sets encryption options
  • /home/<user>/.sftpgateway/sse-sync.key: Custom encryption key location

Using SSE-C for decrypting shared downloads

  • /root/.sftpgateway/ Sets encryption options
  • /root/.sftpgateway/sse-sync.key: Custom encryption key location

S3 Paths

  • s3://sftpgateway-i-0123456789abcde/<user>/uploads/: Upload directory
  • s3://sftpgateway-i-0123456789abcde/<user>/downloads/: Private download directory
  • s3://sftpgateway-i-0123456789abcde/shared/: Shared download directory
  • s3://custom-bucket/<user>/uploads/: Custom upload directory
  • s3://custom-bucket/<user>/downloads/: Custom private download directory

Global Properties

Global properties are stored here: /home/ec2-user/.sftpgateway/

  • sftpgateway.bucketname: The default S3 bucket to save files. Maybe be overridden on a per user basis
  • sftpgateway.region: The S3 region to use. Defaults to the region of the EC2 instance
  • sftpgateway.uploaddir: The default user upload dir to monitor for incoming files. Defaults to uploads
  • sftpgateway.downloaddir: The default user download dir to sync from S3. Defaults to downloads.
  • sftpgateway.rootsharedir: The local shared directory for shared downloads. Defaults to /opt/sftpgw/shared/
  • sftpgateway.s3sharedir: The S3 location for storing shared downloads. Defaults to s3://<bucketname>/shared/
  • sftpgateway.singlethread: Property that controls whether movetos3 calls will run sequentially to conserve memory and network bandwidth. May be needed for instances that receive many small files all at once. Defaults to yes. Set this to no to disable.
  • sftpgateway.md5check: Determines whether to perform a md5 check prior to uploading files to S3. See this page.
  • sftpgateway.fileexclusions: Ignore files with a specific file extension. See this page for more details.

User Specific Properties

User Specific Properties are stored here: /home/<user>/.sftpgateway/

  • s3.uploadpath - Overriden S3 storage location for a single user. Must be in the format of s3://<bucketname>/<path>/. If is omitted, it will store files in the root of the S3 bucket.
  • sse.option- Integer that identifies SSE Option. Valid options include:
    • 1 S3 Managed SSE (SSE-S3)
    • 2 AWS KMS Managed SSE (SSE-KMS)
    • 3 SSE with Customer Provided Keys (SSE-C). The AES 256 key must be stored as binary in a file called /home/<user>/.sftpgateway/sse.key
    • 4 No encyrption
  • - The ARN of the AWS KMS key. If sse.option is 2, this field is required.
  • sse.sync.option - The SSE option to use for downloads from S3 to SFTP. This property is not created by default. It must be added if the files to be downloaded from S3 are encrypted. See sse.option for acceptable values. If sse.sync.option is 3, the AES 256 key must be stored as binary in a file called /home/<user>/.sftpgateway/sse-sync.key
  • - The KMS ARN for downloads form S3 to SFTP. This property is required if sse.sync.option is 2. This property is not created by default. It must be added if the files to be downloaded from S3 are encrypted.