Secure File Transfer: The Complete Guide to Encrypted File Sharing
— Written by Brendan G., Founder & Developer
Most file transfers are not truly secure. TLS protects the connection, but the server can still read your files — and so can anyone with access to it. This guide explains the difference between encryption types, what "end-to-end" actually means, and how to achieve genuinely private file transfer where no server ever sees your file's contents.
Transfer files securely right now
Send files with AES-256-GCM encryption →Files encrypted in your browser before upload. The server is cryptographically blind.
What Makes a File Transfer Actually Secure?
The word "secure" is used loosely by almost every file sharing service. Dropbox says your files are "secure." Google Drive is "protected." WeTransfer uses "TLS encryption." None of these statements are false — but none of them mean what most people assume.
There are three fundamentally different levels of security in file transfer, and understanding which level you're getting changes everything:
- Encryption in transit (TLS/HTTPS): Your file is encrypted while traveling between your device and the server. Once it arrives at the server, the server decrypts it and stores the plaintext. The server can read everything.
- Encryption at rest: After the file arrives at the server, the server encrypts it and stores the ciphertext. The server holds the keys. It can decrypt the file any time it wants — or when required to by a court order, subpoena, or data breach.
- End-to-end (zero-knowledge) encryption: The file is encrypted on your device, using a key that never leaves your device. The server receives only ciphertext it cannot decrypt. The decryption key travels in the URL fragment (the
#key=...part), which browsers never send to servers. This is the only model that gives you genuinely private file transfer.
Most mainstream file sharing services operate at level 1 or 2. Only a small number of purpose-built privacy tools operate at level 3.
How Zero-Knowledge Encrypted File Transfer Works
The zero-knowledge model deserves a close look because the mechanism behind it is both technically elegant and directly verifiable by anyone.
When you upload a file with FileShot, here's what happens step by step:
- Your browser generates a random 256-bit encryption key entirely on your device.
- Your browser encrypts the file using AES-256-GCM — a military-grade authenticated encryption algorithm — before any bytes leave your computer.
- Only the encrypted ciphertext is uploaded to the server. The server receives a blob it cannot read.
- The encryption key is appended to the share URL as a URL fragment:
fileshot.io/d/abc123#key=xYZ... - The
#fragmentportion of a URL is never sent to the server by the browser — it exists only in the browser and in the URL you share with the recipient. - When the recipient clicks the link, their browser fetches the ciphertext from the server, extracts the key from the URL fragment, and decrypts the file entirely on their device.
The server's role is limited to storing and delivering an opaque encrypted blob. It has no mathematical ability to read the file — not through negligence, not through legal compulsion, not if breached. This is what "zero-knowledge" means: zero knowledge of the plaintext file contents.
Encryption Methods Compared
Here's how the common security models stack up in terms of what the server can actually see:
| Security Model | Transit Protected | Server Can Read File | Subpoena Can Expose File |
|---|---|---|---|
| HTTPS only (TLS) | Yes | Yes | Yes |
| Server-side encryption at rest | Yes | Yes (holds keys) | Yes |
| E2E encrypted (client-side) | Yes | No | No (no key to give) |
| Zero-knowledge (FileShot) | Yes | No | No |
Secure File Transfer Services Compared
Not all "secure" file transfer services are the same. Here's an honest comparison of the most widely used options on the privacy spectrum:
| Service | Encryption Model | Max File Size | Account Required | Mobile App |
|---|---|---|---|---|
| FileShot | Zero-knowledge AES-256-GCM | 50 GB | No (free tier) | Android APK + Desktop + Extension |
| send.vis.ee (Send fork) | Client-side E2E | 2.5 GB | No | Web only |
| Bitwarden Send | Client-side E2E | 500 MB | Yes (premium) | Yes |
| WeTransfer | TLS in transit only | 2 GB (free) | No | Yes |
| Dropbox / Google Drive | Server-side encryption | 15+ GB | Yes | Yes |
| Email attachment | None (or TLS only) | ~25 MB | Yes | Yes |
Why Email Is Not Secure File Transfer
Email is far and away the most common way people share files — and one of the least secure. Here's the problem chain:
- Email providers (Gmail, Outlook, Yahoo) store your emails — including attachments — on their servers in plaintext or with server-held keys. They can read every attachment you've ever sent.
- Most email is transmitted between mail servers over SMTP connections that may or may not use TLS, and even encrypted SMTP connections don't protect the stored message.
- Email stays in multiple inboxes indefinitely — yours, the recipient's, and every mail server in between that logged it.
- Corporate email is typically scanned, archived, and discoverable through legal processes. Anything you email from a work address belongs to your employer.
- Email attachments are a primary vector for malware and phishing. Security tools scan attachments, meaning a third party processes your file's contents.
The right approach: don't send the file itself by email. Send the encrypted link. Use FileShot to upload the file (encrypted before it leaves your browser), then paste the resulting link into the email. The file contents never touch the email system. The link without the key fragment is useless to anyone who intercepts it.
Secure File Transfer for Business: HIPAA, GDPR, and Compliance
In regulated industries, "secure file transfer" isn't a preference — it's a legal requirement.
HIPAA (Healthcare): The HIPAA Security Rule requires covered entities to implement encryption for protected health information (PHI) transmitted over open networks. This means emailing medical records, lab results, or patient files via standard email is non-compliant. HIPAA doesn't mandate specific encryption standards, but it requires effective protection. AES-256 is the de facto standard.
GDPR (EU): GDPR's Article 32 requires "appropriate technical measures" including encryption for protecting personal data. The European Data Protection Board specifically recommends end-to-end encryption as a measure that substantially reduces breach notification obligations, because encrypted data disclosed without keys does not constitute a reportable breach (in most interpretations).
SOC 2: SOC 2 Type II audits assess whether organizations have adequate controls over data security, availability, and confidentiality. File transfers involving customer data need to be encrypted in a documented, auditable way. Zero-knowledge encryption leaves no server logs of file contents.
For business users, FileShot's Pro and Creator plans provide extended retention periods, file management dashboards, and the same zero-knowledge encryption on every transfer.
Step-by-Step: How to Send a File Securely with FileShot
This takes under 60 seconds and requires no account for basic use:
- Go to fileshot.io.
- Drag your file onto the upload area, or click to browse for it. The file can be up to 50 GB.
- Your browser encrypts the file locally using AES-256-GCM. You'll see the encryption progress in real time. The file is never uploaded in plaintext.
- (Optional) Set a password for an additional layer of protection — the recipient will need both the link and the password to download.
- (Optional) Set an expiry — the link can auto-delete after a set time or after a certain number of downloads.
- Copy the generated share link.
- Send the link to your recipient via any channel — email, Signal, Slack, SMS. The link contains an unguessable encrypted key in the fragment.
- The recipient clicks the link. Their browser downloads the ciphertext and decrypts it directly using the key in the URL fragment. The file is downloaded already decrypted.
The entire process happens without any account, any registration, or any server ever reading the file's contents.
Best Practices for Secure File Transfers
- Strip file metadata first. Before uploading sensitive files, use FileShot's Metadata Scrubber to remove EXIF, author, GPS, and revision data embedded in Word documents, PDFs, and photos. Metadata can expose information even when file contents are encrypted.
- Add a password on the link. For highly sensitive files, enable password protection. Even if the link is forwarded by accident, it's unreadable without the password.
- Set an expiry. One-time-download links prevent the file from remaining accessible indefinitely. Set the link to delete after one download for maximum control.
- Send the link over a separate, secure channel. If you're emailing someone, send the link via Signal or encrypted email. Don't store the link with the password in the same message.
- Don't screenshot or share the URL fragment. The
#key=...part of the FileShot download URL is the decryption key. Anyone with the full URL can download and decrypt the file. Treat the URL like a password. - Verify the recipient. No encryption helps if you send a file to the wrong person. Confirm the email address or contact before sharing the link.
- Use the desktop app or browser extension for repeated use. FileShot's Electron desktop app and Chrome MV3 extension integrate the same zero-knowledge encryption for faster file sharing from your desktop or browser context menu.
Common Secure File Transfer Mistakes to Avoid
Even privacy-conscious users make mistakes that undermine their file security:
- Confusing HTTPS with end-to-end encryption. Seeing a padlock icon means the connection to the server is encrypted. It says nothing about what the server does with the file after it arrives.
- Uploading files to AI tools before sharing. Many people run documents through ChatGPT or Gemini before sharing them. These services store and may train on uploaded content. Do not process sensitive files through AI tools before a secure transfer.
- Using a file sharing link from an untrusted source. When you receive a link to download a "secure" file, the security only holds if the link came from a trustworthy service. Verify the domain before entering a password.
- Ignoring file metadata. A Word document, PDF, or photo can contain author name, organization, location, revision history, and editing timestamps — even if the content is encrypted in transit. Strip metadata before sending.
- Keeping expired links alive. If you sent a file to someone last year, that link may still work if you never deleted it. Audit old shares periodically.
Secure File Transfer vs. Secure File Sync
It's worth distinguishing between secure file transfer (sending a file to someone, one-time) and secure file sync (keeping files synchronized between devices or with collaborators continuously).
For one-time transfers: zero-knowledge services like FileShot are ideal. You generate a link, the recipient downloads it, the transfer is done.
For continuous sync: Syncthing (open-source P2P, TLS-encrypted, no central server) is the strongest privacy option. It syncs directly between your devices without any cloud intermediary. Proton Drive offers E2E encrypted cloud sync if you need cross-device access without hosting your own server.
FileShot also supports persistent file management for registered users — files can stay in your account indefinitely, and you can re-share them with new links at any time, with all the zero-knowledge protections applying throughout.
Transfer files where the server is mathematically blind
AES-256-GCM client-side encryption. No account required. Up to 10 GB free. The key never touches the server.
Start Secure Transfer →Frequently Asked Questions
What is the most secure way to transfer files?
The most secure way to transfer files is zero-knowledge end-to-end encryption: files encrypted in your browser before upload, decryption key living only in the URL fragment, never transmitted to the server. AES-256-GCM is the encryption standard. FileShot implements this model — the server stores only ciphertext it cannot decrypt, ever.
What does "end-to-end encrypted file sharing" mean?
End-to-end encrypted file sharing means the file is encrypted on the sender's device and decrypted only on the recipient's device. No server, no intermediary, no service provider ever holds the plaintext file or the decryption key. The key travels only in the URL fragment, which browsers intentionally never send to servers. This is fundamentally different from services that encrypt "at rest" but control the keys themselves.
Is sending files over email secure?
No. Standard email attachments are not end-to-end encrypted. Your email provider stores the file and can read it. Corporate email is archived and discoverable. IT departments and legal processes can access attachments. The right approach: use an encrypted file sharing service, upload the file there, and send only the link via email — never the file itself.
What is zero-knowledge file encryption?
Zero-knowledge encryption means the service provider has zero knowledge of your file's contents — they cannot read it under any circumstances, including legal compulsion. Files are encrypted entirely in your browser using a key that never leaves your control. The server stores only the encrypted blob. FileShot applies AES-256-GCM zero-knowledge encryption on every file uploaded, on every plan including free.
How do I securely transfer large files?
Use a zero-knowledge encrypted service like FileShot (supports files up to 10 GB free). Before uploading: strip metadata from the file using the Metadata Scrubber tool. After uploading: set a password on the share link and configure an expiry. Share the link via a secure channel. The entire file is encrypted with AES-256-GCM before a single byte leaves your device.