Bitvise SSH Server: Secure file transfer using SFTP, SCP and FTPS

Bitvise SSH Server supports secure, encrypted file transfer using the protocols SFTP and SCP over SSH, and FTP over TLS (SSL). This way, no one can see your access credentials, or the files you transfer over the internet.

Client or server?

You need our SSH Server if you want to set up a computer to receive connections from others, for either upload or download.

You need our SSH Client if you want to initiate connections to a server set up by someone, for either upload or download.

Key server features

• SFTP server: Secure file transfer using SFTP - compatible with a wide variety of clients, both commercial and free.

• SCP server: Secure file transfer using SCP - compatible with command line and graphical clients. Works with WinSCP in both SFTP and SCP modes.

• FTPS server: Supports security-conscious clients that implement FTP over TLS (SSL). FTPS clients must support explicit TLS, passive mode, and the TLS resume feature for data connections.

• Supports all desktop and server versions of Windows, 32-bit and 64-bit, from Windows XP SP3 and Windows Server 2003, up to the most recent – Windows 11 and Windows Server 2022.

• Intuitive: Use Easy settings for most straightforward setups, or Advanced settings for highly granular control.

• Encryption and security: Provides state-of-the-art encryption and security measures suitable as part of a standards-compliant solution meeting the requirements of PCI, HIPAA, or FIPS 140-2 validation.

• Two-factor authentication: Connections using SSH, SFTP and SCP clients can require an additional time-based one-time password.

• Designed for Windows: Full support for Active Directory domains and Kerberos single sign-on. Supports login with Windows accounts and Windows group-based settings, in addition to virtual accounts created in SSH Server settings.

• Virtual filesystem: Users connecting with file transfer clients can be restricted to a single directory, or several directories in a complex layout.

• Fast: Allows file transfer clients to obtain some of the fastest speeds available – with Bitvise SSH Client, in the tens or hundreds of MB/s. SFTP v6 optimizations, including copy-file and check-file for remote file hashing and checksums, are supported.

• Scriptable: All aspects of the SSH Server can be configured graphically, through a command line interface, or using PowerShell scripting.

• No license-related limits on the number of concurrent connections or total users.

Complete SSH feature set

In addition to first-class support for secure file transfer using SFTP and SCP, our software offers a full set of SSH features, including an excellent terminal console and tunneling. These features can be controlled with high granularity, and enabled and disabled at will. See our SSH Server and SSH Client pages for much more information.

Windows version compatibility

Bitvise SSH Server supports the following Windows versions:

• Windows Server 2022
• Windows 11
• Windows Server 2019
• Windows Server 2016
• Windows 10
• Windows Server 2012 R2
• Windows Server 2012
• Windows 8.1
• Windows Server 2008 R2
• Windows Server 2008
• Windows Vista SP1 or SP2
• Windows Server 2003 R2
• Windows Server 2003
• Windows XP SP3

A recent Bitvise SSH Server version should be used on all platforms. The SSH Server is network-facing, security-sensitive software. Using a recent version is the only way to receive updates. Therefore, we do not recommend indefinite use of older versions.

Encryption and security features

SSH, SFTP and SCP:

• Key exchange algorithms:

  • Curve25519
  • ECDH over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
  • Diffie Hellman with group exchange using SHA-256
  • Diffie Hellman with fixed 4096, 3072, or 2048-bit group parameters using SHA-512 or SHA-256
  • Diffie Hellman with 1024-bit group parameters or using SHA-1 (legacy)
  • GSSAPI key exchange using Diffie Hellman and Kerberos authentication

• Signature algorithms:

  • Ed25519
  • ECDSA over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
  • RSA using 4096, 3072, or 2048-bit key sizes with SHA-512 or SHA-256
  • RSA using 1024-bit keys or with SHA-1 (legacy)
  • DSA using SHA-1 (legacy)

• Encryption algorithms:

  • ChaCha20 with 512-bit keys with Poly1305
  • AES with 256, 128-bit keys in GCM mode
  • AES with 256, 192, 128-bit keys in CTR mode
  • AES with 256, 192, 128-bit keys in CBC mode (legacy)
  • 3DES in CTR or CBC mode (legacy)

• Data integrity protection:

  • ChaCha20 with 512-bit keys with Poly1305
  • AES with 256, 128-bit keys in GCM mode
  • HMAC using SHA-256 or SHA-512, in encrypt-then-MAC mode
  • HMAC using SHA-256 or SHA-512 (classic)
  • HMAC using SHA-1 (legacy)

• Server authentication:

  • Client verifies server identity using server host key fingerprint or public key
  • Automatic synchronization of new host keys to client supported

• Client authentication:

  • Password authentication with Windows accounts - local or Active Directory
  • Password authentication with virtual accounts - configurable password policy
  • Password change during password authentication
  • Public key authentication
  • Kerberos single sign-on using GSSAPI
  • Two-factor authentication with a time-based one-time password

FTP over TLS (SSL):

• TLS security:

  • Available TLS versions and cipher suites depend on the installed version of Windows
  • TLS versions 1.0, 1.1 and 1.2 can be enabled individually in Advanced settings
  • ECDHE, RSA and DHE cipher suite families can be enabled individually

• Authentication:

  • Can use self-signed or CA-signed server certificate
  • Password authentication with Windows accounts - local or Active Directory
  • Password authentication with virtual accounts - configurable password policy

• Requires secure clients:

  • Only secure FTPS is supported - plaintext FTP connections are not accepted
  • FTPS clients must support explicit TLS using the AUTH TLS command
  • FTPS clients must support passive mode and use the TLS resume feature for data connections

Additional security features:

• Denial of service protection through throttling of incoming connections
• Login attempt delay for concurrent logins for same user or from same IP address
• Automatic temporary IP address blocking with IP whitelist
• Username blacklist
• Configurable client IP address, product version string restrictions
• Account-specific IP address restrictions
• IP-based access rules configurable by country

FIPS 140-2 validation

When FIPS is enabled in Windows, our software uses Windows built-in cryptography, validated by NIST to FIPS 140-2 under certificates #2937, #2606, #2357, and #1892. On Windows XP and 2003, our software uses the Crypto++ 5.3.0 FIPS DLL, originally validated by NIST under certificate #819 (historical). When FIPS mode is not enabled, additional non-FIPS algorithms are supported.

Cryptographic implementations and availability

Current Bitvise software versions (9.12 and higher) use the following cryptographic implementations for different algorithms, on different versions of Windows:

Algorithm	Windows XP, Server 2003	Windows Vista to 8.1, Server 2008 to 2012 R2	Windows 10, 11, Server 2016 to 2022
Signature
RSA	Crypto++ 5.3	Windows CNG	Windows CNG
Ed25519	n/a	DJB	DJB
ECDSA (NIST curves)	Crypto++ 5.3	Windows CNG	Windows CNG
ECDSA/secp256k1	Crypto++ 5.3	OpenSSL	Windows CNG
1024-bit DSA	Crypto++ 5.3	Windows CNG	Windows CNG
Non-standard DSA	Crypto++ 5.3	Crypto++ 5.6	Crypto++ 5.6
Key exchange
Classic DH	Crypto++ 5.3	Windows CNG	Windows CNG
Curve25519	n/a	DJB	DJB
ECDH (NIST curves)	Crypto++ 5.3	Windows CNG	Windows CNG
ECDH/secp256k1	Crypto++ 5.3	OpenSSL	Windows CNG
Encryption
AES	Crypto++ 5.3	Windows CNG	Windows CNG
ChaCha20	n/a	OpenSSL	OpenSSL
3DES	Crypto++ 5.3	Windows CNG	Windows CNG
Integrity
GCM	n/a	Windows CNG	Windows CNG
Poly1305	n/a	OpenSSL	OpenSSL
HMAC-SHA2	Crypto++ 5.3	Windows CNG	Windows CNG
HMAC-SHA1	Crypto++ 5.3	Windows CNG	Windows CNG

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

Try our SSH Server!

Our advanced SSH Server for Windows provides secure remote access, file transfer, and tunneling. Supports public key and two-factor authentication, SCP, SFTP, FTPS. Its advantages include speed, security, reliability, ease of use, configurability, and the best terminal console on Windows. Try it free for up to 30 days!

Try our SSH Client!

Our friendly and flexible SSH Client for Windows includes state of the art terminal emulation, graphical as well as command-line SFTP support, SFTP drive mapping, an FTP-to-SFTP bridge, powerful tunneling features, and also remote administration for our SSH Server. Free to use!

What is SSH?

Our products implement SSH (Secure Shell), SFTP, and SCP. Learn more about SSH, and how it differs from TLS/SSL and FTP.