Bitvise SSH Server: Secure file transfer using SFTP, SCP and FTPS
Bitvise SSH Server supports secure, encrypted file transfer using the protocols SFTP and SCP over SSH, and FTP over TLS (SSL). This way, no one can see your access credentials, or the files you transfer over the internet.
Client or server?
You need our SSH Server if you want to set up a computer to receive connections from others, for either upload or download.
You need our SSH Client if you want to initiate connections to a server set up by someone, for either upload or download.
Key server features
SFTP server: Secure file transfer using SFTP - compatible with a wide variety of clients, both commercial and free.
SCP server: Secure file transfer using SCP - compatible with command line and graphical clients. Works with WinSCP in both SFTP and SCP modes.
FTPS server: Supports security-conscious clients that implement FTP over TLS (SSL). FTPS clients must support explicit TLS, passive mode, and the TLS resume feature for data connections.
Supports all desktop and server versions of Windows, 32-bit and 64-bit, from Windows XP SP3 and Windows Server 2003, up to the most recent – Windows 11 and Windows Server 2022.
Intuitive: Use Easy settings for most straightforward setups, or Advanced settings for highly granular control.
Encryption and security: Provides state-of-the-art encryption and security measures suitable as part of a standards-compliant solution meeting the requirements of PCI, HIPAA, or FIPS 140-2 validation.
Two-factor authentication: Connections using SSH, SFTP and SCP clients can require an additional time-based one-time password.
Designed for Windows: Full support for Active Directory domains and Kerberos single sign-on. Supports login with Windows accounts and Windows group-based settings, in addition to virtual accounts created in SSH Server settings.
Virtual filesystem: Users connecting with file transfer clients can be restricted to a single directory, or several directories in a complex layout.
Fast: Allows file transfer clients to obtain some of the fastest speeds available – with Bitvise SSH Client, in the tens or hundreds of MB/s. SFTP v6 optimizations, including copy-file and check-file for remote file hashing and checksums, are supported.
Scriptable: All aspects of the SSH Server can be configured graphically, through a command line interface, or using PowerShell scripting.
No license-related limits on the number of concurrent connections or total users.
Complete SSH feature set
In addition to first-class support for secure file transfer using SFTP and SCP, our software offers a full set of SSH features, including an excellent terminal console and tunneling. These features can be controlled with high granularity, and enabled and disabled at will. See our SSH Server and SSH Client pages for much more information.
Windows version compatibility
Bitvise SSH Server supports the following Windows versions:
- Windows Server 2022
- Windows 11
- Windows Server 2019
- Windows Server 2016
- Windows 10
- Windows Server 2012 R2
- Windows Server 2012
- Windows 8.1
- Windows Server 2008 R2
- Windows Server 2008
- Windows Vista SP1 or SP2
- Windows Server 2003 R2
- Windows Server 2003
- Windows XP SP3
A recent Bitvise SSH Server version should be used on all platforms. The SSH Server is network-facing, security-sensitive software. Using a recent version is the only way to receive updates. Therefore, we do not recommend indefinite use of older versions.
Encryption and security features
SSH, SFTP and SCP:
Key exchange algorithms:
- Curve25519
- ECDH over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
- Diffie Hellman with group exchange using SHA-256
- Diffie Hellman with fixed 4096, 3072, or 2048-bit group parameters using SHA-512 or SHA-256
- Diffie Hellman with 1024-bit group parameters or using SHA-1 (legacy)
- GSSAPI key exchange using Diffie Hellman and Kerberos authentication
Signature algorithms:
- Ed25519
- ECDSA over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
- RSA using 4096, 3072, or 2048-bit key sizes with SHA-512 or SHA-256
- RSA using 1024-bit keys or with SHA-1 (legacy)
- DSA using SHA-1 (legacy)
Encryption algorithms:
- ChaCha20 with 512-bit keys with Poly1305
- AES with 256, 128-bit keys in GCM mode
- AES with 256, 192, 128-bit keys in CTR mode
- AES with 256, 192, 128-bit keys in CBC mode (legacy)
- 3DES in CTR or CBC mode (legacy)
Data integrity protection:
- ChaCha20 with 512-bit keys with Poly1305
- AES with 256, 128-bit keys in GCM mode
- HMAC using SHA-256 or SHA-512, in encrypt-then-MAC mode
- HMAC using SHA-256 or SHA-512 (classic)
- HMAC using SHA-1 (legacy)
Server authentication:
- Client verifies server identity using server host key fingerprint or public key
- Automatic synchronization of new host keys to client supported
Client authentication:
- Password authentication with Windows accounts - local or Active Directory
- Password authentication with virtual accounts - configurable password policy
- Password change during password authentication
- Public key authentication
- Kerberos single sign-on using GSSAPI
- Two-factor authentication with a time-based one-time password
FTP over TLS (SSL):
TLS security:
- Available TLS versions and cipher suites depend on the installed version of Windows
- TLS versions 1.0, 1.1 and 1.2 can be enabled individually in Advanced settings
- ECDHE, RSA and DHE cipher suite families can be enabled individually
Authentication:
- Can use self-signed or CA-signed server certificate
- Password authentication with Windows accounts - local or Active Directory
- Password authentication with virtual accounts - configurable password policy
Requires secure clients:
- Only secure FTPS is supported - plaintext FTP connections are not accepted
- FTPS clients must support explicit TLS using the AUTH TLS command
- FTPS clients must support passive mode and use the TLS resume feature for data connections
Additional security features:
- Denial of service protection through throttling of incoming connections
- Login attempt delay for concurrent logins for same user or from same IP address
- Automatic temporary IP address blocking with IP whitelist
- Username blacklist
- Configurable client IP address, product version string restrictions
- Account-specific IP address restrictions
- IP-based access rules configurable by country
FIPS 140-2 validation
When FIPS is enabled in Windows, our software uses Windows built-in cryptography, validated by NIST to FIPS 140-2 under certificates #2937, #2606, #2357, and #1892. On Windows XP and 2003, our software uses the Crypto++ 5.3.0 FIPS DLL, originally validated by NIST under certificate #819 (historical). When FIPS mode is not enabled, additional non-FIPS algorithms are supported.
Cryptographic implementations and availability
Current Bitvise software versions (9.12 and higher) use the following cryptographic implementations for different algorithms, on different versions of Windows:
Algorithm |
Windows XP, Server 2003 |
Windows Vista to 8.1, Server 2008 to 2012 R2 |
Windows 10, 11, Server 2016 to 2022 |
---|---|---|---|
Signature | |||
RSA | Crypto++ 5.3 | Windows CNG | Windows CNG |
Ed25519 | n/a | DJB | DJB |
ECDSA (NIST curves) | Crypto++ 5.3 | Windows CNG | Windows CNG |
ECDSA/secp256k1 | Crypto++ 5.3 | OpenSSL | Windows CNG |
1024-bit DSA | Crypto++ 5.3 | Windows CNG | Windows CNG |
Non-standard DSA | Crypto++ 5.3 | Crypto++ 5.6 | Crypto++ 5.6 |
Key exchange | |||
Classic DH | Crypto++ 5.3 | Windows CNG | Windows CNG |
Curve25519 | n/a | DJB | DJB |
ECDH (NIST curves) | Crypto++ 5.3 | Windows CNG | Windows CNG |
ECDH/secp256k1 | Crypto++ 5.3 | OpenSSL | Windows CNG |
Encryption | |||
AES | Crypto++ 5.3 | Windows CNG | Windows CNG |
ChaCha20 | n/a | OpenSSL | OpenSSL |
3DES | Crypto++ 5.3 | Windows CNG | Windows CNG |
Integrity | |||
GCM | n/a | Windows CNG | Windows CNG |
Poly1305 | n/a | OpenSSL | OpenSSL |
HMAC-SHA2 | Crypto++ 5.3 | Windows CNG | Windows CNG |
HMAC-SHA1 | Crypto++ 5.3 | Windows CNG | Windows CNG |
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).