AS2 vs. SFTP: Which File Transfer Protocol Should You Use?
What is the difference between AS2 and SFTP?
AS2 is a B2B messaging protocol that adds message-level encryption, digital signatures, and signed delivery receipts (MDNs) on top of HTTPS, giving you cryptographic proof that a specific message was delivered and processed. SFTP is a file transfer protocol over SSH: it encrypts data in transit and authenticates the connection, but provides no per-message signatures and no receipts.
Both protocols move files between organizations, and that is roughly where the similarities end. They were designed for different problems, they operate differently at the protocol level, and they impose different operational burdens. Choosing between them is rarely a pure technical decision: it depends on your industry, your trading partners, and your compliance requirements. AS2 is not always better, and SFTP is not always simpler.
How does AS2 work?
AS2 (Applicability Statement 2, RFC 4130) sends files over HTTP/S using MIME formatting: each message is encrypted with the recipient's public key, signed with the sender's private key, and transmitted as an HTTP POST to the recipient's AS2 endpoint. The recipient returns a signed MDN (Message Disposition Notification) confirming what was received and whether decryption and signature verification succeeded.
That MDN is the critical feature. It is cryptographic proof that the specific message was delivered and processed correctly, and it can be returned synchronously (on the same HTTP connection) or asynchronously (via a separate HTTP POST to a callback URL).
AS2 message flow
- Sender encrypts the payload with the recipient's public certificate.
- Sender signs the encrypted payload with their own private key.
- Sender POSTs the message to the recipient's AS2 URL over HTTPS.
- Recipient verifies the signature, decrypts the payload, and processes it.
- Recipient generates and signs an MDN and returns it to the sender.
- Sender verifies the MDN signature and records the delivery confirmation.
How does SFTP work?
SFTP (SSH File Transfer Protocol) runs over an SSH connection: the client authenticates with a username/password or SSH key pair, then uploads or downloads files to designated directories on the server. Everything is encrypted in transit, but there are no message-level signatures, no message-level encryption, and no delivery receipts at the protocol level.
SFTP file transfer flow
- Client authenticates to the SFTP server (SSH key or password).
- Client uploads a file to a designated directory.
- Recipient polls the directory or receives a notification that a file arrived.
- Recipient downloads and processes the file.
There is no built-in confirmation that the file was received intact, processed successfully, or even picked up at all.
Which is more secure, AS2 or SFTP?
Both encrypt data in transit, but AS2 adds an application-layer security contract on top of transport encryption: message-level encryption, per-message authentication via digital signatures, and non-repudiation via signed receipts. SFTP's guarantees stop at the transport layer.
Encryption
- AS2: Messages are encrypted at the message level (S/MIME) before transmission. The file stays encrypted from the moment it leaves the sender until the recipient decrypts it with their private key, independent of the TLS session.
- SFTP: Encryption exists only during the SSH session. Once the file lands on the server's filesystem it is in cleartext (unless the server has separate disk encryption). If the SFTP server is compromised, the files are readable.
Authentication
- AS2: Digital signatures authenticate every message. The recipient can verify exactly who sent each message using the sender's public certificate — per-message proof of origin.
- SFTP: Authentication happens at connection time. Once connected, the system trusts that all files uploaded during that session came from the authenticated user. If credentials are shared or compromised, there is no per-file proof of origin.
Non-repudiation
Non-repudiation is the biggest security difference and the reason AS2 exists. The signed MDN proves a specific message was received and processed by the recipient, so neither party can deny the exchange happened — legally significant in regulated industries.
SFTP has no built-in non-repudiation. You have server logs showing a file was uploaded, but logs can be altered, and there is no signed receipt from the recipient confirming they received and processed the data.
When is AS2 required?
AS2 is effectively mandatory when a major trading partner or a regulator requires it — most famously Walmart, which mandates AS2 for all supplier EDI. In retail, pharmaceutical supply chain, and automotive, the choice is often already made for you.
Retail
Walmart mandates AS2 for all EDI communications with suppliers, which is the single biggest driver of AS2 adoption. Target, Home Depot, and other major retailers also prefer or require AS2 for EDI.
Pharmaceutical supply chain
DSCSA (Drug Supply Chain Security Act) compliance increasingly requires AS2 for exchanging transaction data between manufacturers, wholesalers, and dispensers. AS2's non-repudiation guarantee aligns with the regulatory requirement to prove chain of custody.
Automotive
Major automotive OEMs and tier-one suppliers standardized on AS2 for supply chain EDI years ago, and the ecosystem tooling reflects it.
Any partner that requires it
Sometimes AS2 is simply what your trading partner supports. If they only have an AS2 endpoint, you use AS2 — the pragmatic reality for many small and mid-size businesses.
When does SFTP make more sense?
SFTP is the right tool when you do not need non-repudiation and you want simpler operations. Typical cases: internal transfers, low-volume non-critical exchanges, partners without integration teams, and bulk data movement.
Internal transfers
Moving files between systems within your own organization? SFTP is simpler to set up and maintain, and non-repudiation between your own systems is rarely a requirement.
Low-volume, non-critical transfers
Sending a monthly report to a partner who does not require a specific protocol? SFTP is quick to configure and universally supported; every cloud provider offers managed SFTP.
Partners with limited technical capability
SFTP is conceptually simpler: upload a file, done. No certificates to exchange, no MDN configuration to negotiate, no AS2 IDs to match.
Bulk data transfers
SFTP handles large files efficiently. AS2 can transfer large files, but the overhead of encryption, signing, and MDN processing adds latency; for multi-gigabyte dumps, SFTP's streaming model is more efficient.
Which is harder to set up and operate?
SFTP setup is measured in hours; AS2 setup is measured in days. AS2 also carries ongoing certificate lifecycle work that SFTP simply does not have.
Setup effort
- SFTP: Create an account, exchange SSH keys, configure directory permissions. A competent sysadmin sets this up in under an hour.
- AS2: Exchange certificates, configure AS2 IDs, agree on MDN settings (sync vs. async, signing algorithm), configure encryption and signing algorithms, then test end to end. First-time setup typically takes 1 to 3 days including the back-and-forth with the trading partner.
Ongoing maintenance
- SFTP: Rotate SSH keys periodically. Monitor disk space. That is roughly it.
- AS2: Monitor certificate expiration and rotate before expiry, coordinating with every trading partner that uses those certificates. A single expired certificate can take down multiple connections simultaneously.
Debugging
- SFTP: Problems are usually obvious — connection refused (firewall), permission denied (auth), no such file (wrong directory). Standard SSH tooling works.
- AS2: Error messages are often cryptic. "Insufficient data for decryption" could mean a wrong certificate, a format mismatch, or a corrupted message. Debugging requires understanding the full AS2 protocol stack.
How much does each protocol cost?
AS2 is significantly more expensive than SFTP at every tier. That cost is justified when non-repudiation is a business or regulatory requirement — and not justified when you are simply moving files.
SFTP costs
- AWS Transfer Family (managed SFTP): $0.30/hour for the endpoint (~$216/month) plus $0.04/GB transferred.
- Self-hosted: a Linux VM with OpenSSH — minimal cost beyond the server itself.
- Commercial SFTP servers (Cerberus, Titan, etc.): $500 to $5,000 one-time license.
AS2 costs
- Commercial AS2 platforms (IBM Sterling, OpenText, Cleo): $10,000 to $100,000+ per year depending on volume and features.
- Open-source (OpenAS2, Mendelson): free software, but real staff time for setup and maintenance.
- AS2 VAN services (managed AS2): $200 to $2,000/month depending on trading partner count and message volume.
AS2 vs. SFTP feature comparison
The table below summarizes the differences. The pattern: AS2 buys cryptographic guarantees at the price of complexity and cost; SFTP buys simplicity at the price of weaker guarantees.
| Feature | AS2 | SFTP |
|---|---|---|
| Transport encryption | TLS (HTTPS) | SSH |
| Message-level encryption | Yes (S/MIME) | No |
| Digital signatures | Yes (per message) | No |
| Delivery receipt | Yes (signed MDN) | No |
| Non-repudiation | Strong (mandatory MDN) | Weak (server logs only) |
| Compliance readiness | Built-in audit trail | Requires custom logging |
| Setup complexity | High | Low |
| Operating cost | High | Low |
| Large file handling | Adequate | Excellent |
| Protocol standard | RFC 4130 | RFC 4253 (SSH) |
| Industry adoption | Retail, pharma, automotive | Universal |
Can you use both AS2 and SFTP?
Yes, and most organizations do: AS2 for the trading partners and industries that require it, SFTP for everything else. There is no rule that says you have to pick one.
- Use AS2 when you need non-repudiation, when your trading partner requires it, or when regulatory compliance demands it.
- Use SFTP when you need simple, reliable file transfer without the overhead of certificate management and MDN processing.
How do you validate an AS2 setup before going live?
Test against a known-good endpoint before involving your trading partner, because certificate errors, MDN misconfigurations, and encryption mismatches are common and debugging them across organizational boundaries is slow. Finding problems on your own side first makes partner onboarding measurably faster.
AS2 Certify's free AS2 connection tester validates your certificates, tests encryption and signing, confirms MDN processing, and grades your configuration A through F. If you are setting up AS2 for the first time, the walkthrough in how to test an AS2 connection without a partner covers the full process.