The Almeria Industries SFTP Gateway is a secure, pre-configured SFTP server built on SSH 2.0.
It provides instantaneous data transfer to AWS S3 Buckets and on-prem
SFTP servers. This page documents the supported algorithms, commands, authentication methods,
and virtual file system capabilities.
Server Identity
| Property |
Value |
| Protocol |
SSH 2.0 |
| Server Version String |
SSH-2.0-Almeria-2.0 |
| Default Port |
2222 (configurable) |
| Host Key Type |
RSA (4096-bit) |
Supported Algorithms
The SFTP Gateway uses golang.org/x/crypto/ssh (v0.47.0). The following algorithms
are supported by the underlying SSH transport layer.
Host Key Algorithms
| Algorithm |
Status |
rsa-sha2-256 |
Supported (default) |
rsa-sha2-512 |
Supported |
ssh-rsa |
Supported (legacy) |
Key Exchange Algorithms
| Algorithm |
Status |
curve25519-sha256 |
Supported (preferred) |
[email protected] |
Supported (preferred) |
ecdh-sha2-nistp256 |
Supported |
ecdh-sha2-nistp384 |
Supported |
ecdh-sha2-nistp521 |
Supported |
diffie-hellman-group14-sha256 |
Supported |
diffie-hellman-group14-sha1 |
Supported |
Ciphers
MAC (Message Authentication Code) Algorithms
| Algorithm |
Status |
[email protected] |
Supported (preferred) |
[email protected] |
Supported |
hmac-sha2-256 |
Supported |
hmac-sha2-512 |
Supported |
hmac-sha1 |
Supported |
hmac-sha1-96 |
Supported |
Authentication Methods
| Method |
Status |
Details |
| Password |
Supported |
Username and password stored securely in HashiCorp Vault |
| Public Key |
Supported |
SSH public keys stored in HashiCorp Vault. Supports multiple authorized keys per user |
Maximum authentication attempts: 3 (configurable). Credentials are stored and retrieved from
HashiCorp Vault at runtime.
Supported Commands
The SFTP Gateway implements a virtual file system backed by Azure Blob Storage and RavenDB.
The following SFTP commands are supported:
| Command |
Supported |
Notes |
put (file upload) |
Yes |
Files can only be written to the /upload directory. Supports overwriting
files in Committed or Processed state. Generates SHA-256 hash and detects content type
automatically. |
get (file download) |
No |
Read operations are not supported. The SFTP Gateway is designed as an ingress-only
server for secure data transfer to backend storage. |
ls (list directory) |
Yes |
Lists directory contents including . and .. navigation entries.
Root directory lists system directories. Subdirectory contents are queried from the
database. |
stat (file/dir info) |
Yes |
Returns metadata for files and directories. Supports root, current directory
(.), parent directory (..), and system directories. |
mkdir |
Yes |
Creates directories under /upload only. Directories are automatically
mirrored across /upload, /failed, and /sent
for workflow management. |
rename |
Yes |
Renames files within the same directory. Supports WinSCP's .filepart
chunked upload pattern. Includes retry logic with 60-second timeout for
asynchronous blob commits. Cross-directory moves are not permitted. |
rm (remove file) |
Yes |
Soft-deletes files in /sent and /failed directories only.
Files in /upload and /inbox cannot be deleted. Files are
marked as deleted for audit trail purposes rather than physically removed. |
rmdir |
Yes |
Soft-deletes empty user-created directories under /upload.
System directories (/upload, /inbox, /sent,
/failed, /) cannot be deleted. |
setstat (chmod/chown) |
Yes |
Allows setting file attributes (permissions, timestamps). Prevents modifications
to files in a failed state to maintain data integrity. |
symlink |
No |
Symbolic links are not supported. |
readlink |
No |
Symbolic link resolution is not supported. |
Virtual File System
The SFTP Gateway exposes a virtual file system with four system directories that manage the
data transfer workflow:
| Directory |
Purpose |
Permissions |
/upload |
Active upload area for incoming files |
Write, mkdir, rename, setstat |
/inbox |
Read-only directory for incoming files from external sources |
List, stat (read-only) |
/sent |
Successfully transferred files |
List, stat, rm |
/failed |
Files that failed during transfer |
List, stat, rm |
Upload Behavior
- Files are uploaded as Azure Blob Storage block blobs with a unique UUID identifier.
- SHA-256 content hash is calculated automatically for data integrity verification.
- File content type (MIME type) is detected automatically using AI-powered file meta-type detection.
- Upload processing is fully asynchronous: block commits, hash calculation, queue dispatch, and database sync
run concurrently for maximum throughput.
- Files are queued via Azure Service Bus for downstream processing to final destinations
(AWS S3, Azure Blob Storage, or on-prem SFTP servers).
- Existing files can be overwritten only if they are in Committed or Processed state.
Soft Delete and Audit Trail
- All delete operations (files and directories) are soft deletes.
- Physical data remains in blob storage and in the database.
- Deleted items are hidden from directory listings.
- Enables audit trails and potential data recovery.
Client Compatibility
The SFTP Gateway is compatible with any standard SFTP client that supports SSH 2.0, including:
- OpenSSH (
sftp command)
- WinSCP (including
.filepart chunked upload support)
- FileZilla
- Cyberduck
- Any SSH/SFTP library (paramiko, JSch, libssh2, etc.)
Known Limitations
| Limitation |
Details |
| Ingress-only |
File downloads (get) are not supported. The gateway is designed for
secure data ingestion. |
| No symbolic links |
symlink and readlink operations return
SSH_FX_OP_UNSUPPORTED. |
| No cross-directory rename |
Files can only be renamed within the same directory. Moving files between
directories is not supported. |
| Directory rename |
Renaming directories is not yet supported. |
| Delete restrictions |
File deletion is only permitted in /sent and /failed
directories. Active files in /upload cannot be deleted. |
| System directories |
The four system directories (/upload, /inbox,
/sent, /failed) cannot be deleted or renamed. |