Start Trial

Encrypted File Transfer: A Guide to Encryption and Secure Sharing

by | Sep 25, 2025 | FTP Server Security

Cerberus FTP Server - Deciphering Ciphers - Explaining encrypted file transfer

Deciphering ciphers: A guide to encryption and secure file transfer

 

What is encryption?

Encryption refers to the process of obscuring information to make it only readable by the sender and the sender’s authorized recipient(s). Encryption does not prevent access by a third party. Instead, it creates confidentiality by rendering transmitted data unintelligible to anyone without the correct decryption key. 

In modern computing and secure file transfer, encryption is performed by algorithms that use complex mathematics to replace plaintext characters with other information while simultaneously generating a “key” to the performed operations that allows for decryption. 

What are the important terms to know in encryption?

  • Algorithm: the mathematical formula used to replace a message’s original characters with encrypted characters, while also generating a key to restore the message to its original version 
  • Bit: A bit is the basic building block of computing, representing a 1 (for true) or 0 (for false). Encryption algorithms will provide a security level measured in bits as a shorthand for the number of operations an attacker would have to perform in order to discover a decryption key via brute force. Higher bit values are more secure.
  • Block: Many encryption algorithms use fixed numbers of bits, called blocks, to perform their calculations. These algorithms are commonly called block ciphers.  
  • Certificate: Digital certificates are encrypted documents verified by third parties that validate whether a device is what it claims to be. These certificates are checked against third-party registries at the time of connection, and devices can block connections in the event of a failed certificate.
  • Cipher: often used interchangeably with algorithm, cipher can be defined more broadly as a means to create encryption (of which an algorithm is one type).
  • Ciphertext: The unreadable text output from an encryption process, which can be securely transmitted across open networks.  
  • Decryption: The act of using a key to “unlock” the encrypted ciphertext and render it back into plaintext.
  • Hash function: Hash functions support and enhance encryption by allowing operations such as file integrity checking, digital signatures, password verification and more. They operate by using an algorithm to create a string of characters from the original message. That string is sent to the recipient, who recalculates the hash string after decrypting the message. If the two hashes match, the data can be verified as accurate. 
  • Key: Keys are character strings generated by the transmitting party and provided to the receiving party for the purposes of decoding the transferred information. Several different key generation and distribution techniques exist, and keys can also be used to authenticate clients and servers to each other.
  • Plaintext: The human-readable, unencrypted data the sender inputs at the beginning of the encryption process.  

How is encryption implemented?

Encryption is typically implemented between a client and server at the time of connection, with the specific application and network layer affecting the exact procedures. For example, 

  • Transport Layer Security provides HTTPS encryption. At the initial connection, the server and client will negotiate their TLS version and cipher suite to establish initial encryption, then verify the server’s identity using the server’s public key along with an SSL certificate. At that point, it will generate encryption keys for data passed during the session.  
  • Secure Shell Protocol (SSH) creates the encryption for SFTP. The server responds to connection requests with its supported encryption algorithms and a public key. The client selects a specific algorithm, the parties generate a shared secret key, and then perform authentication.  
  • Other file transfer protocols like FTP/S provide administrators with the ability to configure when (and if) encryption occurs during the connection process. Administrators can configure FTP/S to listen for connection requests and choose whether or not to upgrade to a TLS-protected session.

Where is encryption used during secure file transfers?

Encryption is used at several points of the secure file transfer process:

  • At initial connection: One of the first steps of a secure file transfer connection is to encrypt the session so that authentication credentials are not transmitted in plaintext
  • During authentication: Encryption is used to validate the identity of clients and servers to each other through tools like digital certificates and public keys. 
  • During transit: After authentication, a server will transmit data using the agreed upon encryption algorithm.
  • After (and before) receipt: File transfer applications can be configured to encrypt data held in storage in order to protect against access via compromised devices or credentials.

What types of encryption are used by different file transfer protocols?

File transfer protocol encryption is determined by several factors, including:

  • Where (and whether) the encryption occurs during the connection
  • How the transport layer is secured
  • Client and protocol security requirements
  • Organizational security settings and policies

The most common file transfer protocols use either TLS or SSH for encryption:

  • TLS-based protocols
    • HTTPS (which also uses SSL certificate verification)
    • FTP/S (which also uses SSL certificate verification)
    • AS2 
  • SSH-based protocols
    • SFTP
    • SCP

In almost all cases, administrators have the option to add additional layers of encryption onto the basic protocol security, and a number of other file transfer protocols exist which can use a variety of other encryption tools.  

How does SFTP encryption work?

SFTP encryption starts with an SSH connection, which follows the process below:

  • A client and server begin their connection by negotiating the session encryption. This involves creating a public/private key pair, exchanging public keys, vetting those keys against private keys, and then creating a “shared secret” — a string of data that is used to authenticate additional packets. This process is known as symmetric encryption and is performed automatically at connection.
  • With the initial SSH encryption in place, the server will then authenticate itself by sending a small piece of data to the client for verification
  • Once the client validates the server, it supplies its own authentication. This can be done via a simple username and password, or via public key authentication. Public keys are generally created in advance of a session when adding users and clients to a network, and also have a hidden private key. The public portion of a key is compared to the private portion, and if it matches, the server grants access. 

What encryption algorithms are used in secure file transfer?

A wide variety of encryption algorithms exist, but the most common ciphers used in secure file transfer are:

  • Pretty Good Privacy (PGP)
  • Diffie-Hellman 
  • Elliptic Curve Diffie-Hellman Ephemeral
  • Rivest-Shamir-Adleman (RSA)
  • The Advanced Encryption Standard (AES)
  • Secure Hash Algorithm (SHA)

Does the client or server initiate the encryption in file transfer?

While clients will typically request a connection, servers will dictate the encryption requirements during the negotiation phase. If the server cannot find a match in the client’s supported encryption protocols that fits its security requirements, it will terminate the connection. 

Is authentication encrypted in secure file transfer?

Encrypting authentication methods is best practice for secure file transfer, and can be accomplished in a variety of ways:

  • Encrypting the channel on which authentication information is exchanged
  • Hashing user names and passwords 
  • Sharing authentication certificates between clients and servers

What are the highest encryption standards?

Encryption key bit length is used as a proxy for how many computing operations would be required to guess an encryption key by brute force methods. The current highest encryption standard in widespread use is AES 256, which has a 256-bit key. This means that this algorithm can generate 2^256 possible key combinations, which would take longer than the current age of the universe to discover using current computing technology.

Recommended Links

Related posts:

  1. OpenSSL vulnerability fixed in Cerberus FTP Server version 11.3.6
  2. Cerberus FTP Server 12.10 presents Independent Directory and File Level Permissions
  3. FTP Server Password Policy Recommendations: Keeping Your Passwords Secure
  4. Moving to OpenSSL 3 in Cerberus FTP Server 12.11