Skip to main content
Documentation

Implicit vs Explicit Security FTPS

FTP over TLS (FTPS) supports two security modes: Implicit and Explicit. Both modes encrypt communication between an FTP client and server. They differ in how the encryption starts.

Implicit FTPS begins encryption immediately when the connection starts.

Explicit FTPS (also known as FTPeS) begins as a plain FTP session and upgrades to encryption after negotiation.

Files.com supports both types of connections. We strongly recommend Explicit (FTPeS) because it is the modern standard and works with a wider range of clients and network configurations.

Implicit FTPS

Implicit FTPS establishes encryption from the very start of the connection. The client begins communication by sending a TLS ClientHello message, and the server immediately requires this handshake. If the server does not receive it, the server closes the connection.

Historically, administrators used implicit FTPS on well-known ports:

  • 990/TCP for the control channel
  • 989/TCP for the data channel

This approach allowed older FTP clients to continue using port 21 for standard, unencrypted FTP. Implicit FTPS was never officially defined in RFC 4217 and is now considered deprecated.

Modern systems, including Files.com, favor Explicit FTPS (FTPeS) because it uses the standard FTP command structure and works better with firewalls and NAT devices.

When connecting to Files.com using Implicit FTPS, use Port 990 (default) or 3990 (alternative Files.com port).

Explicit FTPS

Explicit FTPS, or FTPeS, starts as a regular FTP session on the standard FTP ports (typically 21). The client must explicitly request encryption by sending the AUTH TLS command. Once the server agrees, both systems negotiate a secure TLS session for the remainder of the connection.

This model gives administrators flexibility. Servers can allow both encrypted and unencrypted connections on the same port, depending on configuration and client support.

The Explicit FTPS approach is officially defined in RFC 4217 and builds on earlier security extensions introduced in RFC 2228. These standards define the commands used to negotiate encryption:

  • AUTH TLS - requests to start a TLS-secured session
  • AUTH SSL - an older variant rarely used today
  • FEAT - allows clients to query which security mechanisms a server supports

Files.com requires FTPS clients to negotiate using AUTH TLS. This keeps the implementation aligned with current standards and compatible with modern FTP clients.

When connecting to Files.com using Explicit FTPS (also referred to as FTPeS), use Port 21 (default) or 3021 (alternative Files.com port).