S3 Compatible Object Storage backends
SFTPGo can use any S3-compatible object storage service as a storage backend, including AWS S3, Wasabi, Backblaze B2, and others.
For concrete configuration examples against specific providers — Cloudflare R2, Backblaze B2, MinIO, Ceph, Wasabi, Hetzner, Scaleway, OVHcloud, DigitalOcean Spaces, Oracle OCI, Alibaba OSS, IBM COS, SeaweedFS, Storj, and more — see S3-compatible services.
Authentication
SFTPGo supports multiple credential methods:
- Access Keys — Provide an Access Key ID and Secret Access Key directly.
- IAM Roles for EC2 — Assign an IAM role to the EC2 instance running SFTPGo.
- IAM Roles for ECS — Use IAM roles attached to ECS task definitions.
- IAM Roles for Service Accounts (IRSA) — For SFTPGo running on AWS EKS.
- Assume Role — Specify an IAM Role ARN to assume via STS, optionally with a session token for temporary credentials.
To use options 2–4, leave the access keys blank — SFTPGo will use the AWS SDK's default credential chain. To use option 5, set the Role ARN field (and optionally a session token).
Configuration
| Parameter | Description |
|---|---|
| Bucket | Required. The S3 bucket to use. Must already exist. |
| Region | AWS region (e.g., eu-central-1). Required unless an endpoint is specified. See the list of available regions. |
| Access Key / Access Secret | AWS credentials. Leave both blank to use IAM roles or the default credential chain. |
| Role ARN | IAM Role ARN to assume via STS. When set, overrides explicit access keys. |
| Session Token | Optional temporary session token (for STS-based credentials). |
| Endpoint | Custom endpoint URL (required for S3-compatible services). Must include the protocol (e.g., https://s3.example.com:9000). |
| Key prefix | Optional. Restricts the user to a "folder" within the bucket. Each user can only access objects under their assigned prefix. The prefix does not need to exist beforehand. |
| Storage class | S3 storage class for uploaded objects (e.g., STANDARD, GLACIER). Leave blank for the default. |
| ACL | Canned ACL to apply to uploaded objects. Leave blank for the default. |
| Force path style | Use path-style addressing (http://s3.amazonaws.com/BUCKET/KEY) instead of virtual-hosted style. Required for some S3-compatible services. |
| SSE Customer Key | Customer-provided key for server-side encryption (SSE-C). When set, all objects are encrypted/decrypted using this key. The key is stored encrypted according to your KMS configuration. |
| Skip TLS verify | Accept any TLS certificate.  Only for testing — susceptible to man-in-the-middle attacks. |
| Checksum algorithm | Optional. One of CRC32, CRC32C, CRC64NVME, SHA1, SHA256. When set, the AWS SDK computes the checksum and sends it with PutObject, multipart upload parts, and CopyObject so S3 can verify payload integrity on upload. Required if Object Lock is enabled on the bucket: uploads to an Object Lock-protected bucket must include a checksum, otherwise they are rejected. The same requirement applies to S3-compatible services that implement Object Lock. Leave empty otherwise for maximum compatibility with S3-compatible services that do not support all algorithms. |
Multipart upload and download tuning
SFTPGo uses multipart uploads and parallel downloads for transferring files to/from S3.
| Parameter | Default | Range | Description |
|---|---|---|---|
| Upload part size | 5 MB | 5–2000 MB | Size of each part in a multipart upload. |
| Upload concurrency | 5 | 0–64 | Number of parts uploaded in parallel. |
| Upload part max time | 0 (no limit) | — | Maximum seconds to upload a single part. |
| Download part size | 5 MB | 5–2000 MB | Size of each part in a parallel download. |
| Download concurrency | 5 | 0–64 | Number of parts downloaded in parallel. Ignored for partial downloads. |
| Download part max time | 0 (no limit) | — | Maximum seconds to download a single part. Ignored for partial downloads. |
If the upload bandwidth between the client and SFTPGo is greater than the bandwidth between SFTPGo and S3, the client may need to wait for the final parts to be uploaded after finishing its transfer, potentially causing a timeout. Adjust part size and concurrency accordingly.
Limitations
chownandchmodare not supported. Setsetstat_modeto1or2in the configuration to silently ignore these commands.truncate,symlink, andreadlinkare not supported.- Opening a file for both reading and writing at the same time is not supported.
renameis implemented as server-side copy + delete — not atomic.- Renaming non-empty directories is not supported (each object would require a separate API call).
- Modification time (
chtime) is not supported. - Upload resume is disabled by default. It can be enabled for files up to a configurable size via
resume_max_size, but requires re-uploading the entire file. - A local home directory is required for temporary files, unless in-memory pipes are enabled via
SFTPGO_HOOK__MEMORY_PIPES__ENABLED=1. - Clients that require advanced filesystem-like features (e.g.,
sshfs) are not supported. - For server-side encryption with AWS-managed keys (SSE-S3 or SSE-KMS), configure the bucket's default encryption settings in the AWS Console. SFTPGo natively supports SSE-C (customer-provided keys) via the
SSE Customer Keyfield.