How To Use Secure Copy (SCP) To Copy Files From One Server To Another

This article shows how to remotely copy backup files from one server to another using 'Secure Copy' (SCP) and without having to manually enter a password each time.

I will write another article in a few weeks time to show how I generate my backup files.

I maintain a VPS with all my clients websites which gives me complete control over management of the data. However, with that freedom and flexibility comes the responsibility of making sure that the data is never lost.

So I procured a second VPS in a different data centre in order to safely backup all the files.

Now, I don't want to have to sit down and manually create backups every day, so the answer is to automate the process. I use CRON to first create a backup file and then copy the backup files to my backup server.

Local Machine vs Remote

While researching various subjects related to the use of servers, many resources discuss the 'local' server and the 'remote' server. For years (and I do mean years), I have always understood local to mean physically local ie. in the living room, bedroom or office etc. Doh !

Just in case there are others like me who do not get this concept, the local machine is the one where the command or script is being run. It could be a server on the other side of the world - it really doesn't matter. The remote server is the one that is being connected to by the local server. And that could be in a building next door.

So keep that in mind . . .

What is Secure Copy ?

Secure Copy (SCP) is a shell / bash command that allows you to securely copy files from one server to another using SSH (secure shell). You can copy either way ie. you can copy from the local server or you can copy to the local server. Just remember that the local server is the one where the command is being run.

The syntax to use is:

or

The -P22 in the command tells scp to use port 22 which is the default port for ssh (Note that it is a captial P and not lower case). In this case, you can leave that element out of the command. But if you have changed the port number for ssh (it's good practise to do so), then you should leave it in, but change the number 22 to the relevant port number.

When the Source Server is the Local Machine:

When the Destination Server is the Local Machine:

The second (shorter) command on the destination server example does exactly the same thing as the first command - the tilde ( ~ ) tells scp to start from the root folder of the relevant user account. If you're ever not sure about which folder scp will work with, the safest option is to put the full path (as shown in the first command).

Usually, though, if you used any of these commands you will be prompted to enter a password for the 'other' user account. If we want to do this remotely and unattended we need a workaround. Thankfully there is one !

So How To Use SCP Without Having To Enter A Password ?

Step 1. Generate a Public and Private Key Pair

We need to create a public and private key pair. We do this on the local server (the one where the backup or copy script is going to be run). 

The following example assumes I am going to backup files from the account 'live' on the local server and send them to the user account 'backup' on the remote server.

Open a PuTTY session logging in to the user account from which you want to run Secure Copy (user 'live' on the local server [cloudserver2]) and enter the following command:

The -t means type and the type is RSA. There are other key pair types, but RSA is generally considered to be the most secure.

You will be asked to confirm where you would like to save the file:

Press the Enter key.

If the files already exist, you will prompted to confirm you wish to overwrite them:

Press n then Enter and go straight to Step 2. 

If the files don't already exist, you will be asked to enter a passphrase:

Leave this empty or your command or script or command will pause and prompt you for the passphrase each time. Just press the Enter key again .

You'll be prompted to enter the same passphrase again, so press the Enter key again.

You will get something along the lines of:

You now have 2 files id_rsa (the private key) and id_rsa.pub (the public key) in the folder .ssh which is a sub of the root folder of this user (ie /home/user/.ssh).

Step 2. Copy the Public Key to the Remote Server

We must now copy the contents of the public key id_rsa.pub to the file authorized_keys in the folder .ssh on the remote machine. 

First, though, we're going to copy the contents of id_rsa.pub to the clipboard. In the same PuTTY session enter:

You will get something along the lines of:

Using the mouse, select the whole contents of the file (from ssh-rsa to live@cloudserver2). It should look like this:

There is no need to press CTRL-C, simply selecting the text automatically copies it to the clipboard. That's it for now, we will come back to it shortly.

Next enter:

Again we indicate the port number, but note that the -p is lowercase this time.

If the connection is refused (as shown above), you must add the IP Address of each other's' server in the firewall whitelist for both the remote and local server. Having done that, I tried again: 

If this is the first time you've connected from the local server, it won't be recognised, and you will be asked if you want to continue connecting. Type yes (not just y) and press Enter.

The remote server will be added to the local servers known hosts file (so you're not prompted the next time) and then you will be asked to enter the password for the user 'backup' on the remote server. Enter this correctly and you will be logged in to the remote server.

Note that the prompt has changed from live@cloudserver2 to backup@svr. 

What we are going to do here is to check to see if the authorised public keys file has already been created. If it has, we'll add the public key for our live server. If not we'll create the file first then add the public key.

So first we'll check for the folder .ssh

This gives us a directory listing.

In this case, the folder .ssh doesn't exist, so we need to create it and check it exists:

We can see that the .ssh folder now exists, so we'll move into it and check what files there are:

In this case the authorized_keys file does not exist (note the americanised spelling - this is very important), but even if it does exist, we will use the same command to edit it:

Press the i key to move to Insert mode then if the file is empty, make sure the mouse cursor is positioned inside the Terminal / PuTTY window and right-click. This should paste the public key content that we copied earlier.

If the file is not empty, then select Insert mode by pressing the i key  then use the arrow keys to move the green cursor to the end of the last line of the file, press Enter to start a new line and then right-click the mouse. This will add the public key data to the end of the file.

In either case, then press the ESC key followed by SHIFT + ZZ to save the file.?

Next we type exit to return to the 'live' server.

Finally, we test that we can send a file without having to enter a password. I have a backup file (backup-file.tar.gz) in the folder 'backups' on my live server and I want to send it to the folder 'remote-backups' on the backup server. The command I used is:

And we can check that it has arrived successfully by entering the following:

I hope you have found this article useful. In the next few weeks, I will try to put together another article that outlines the scripts I use to automate my daily backup schedule.