FTPS (also known as FTP Secure and FTP-SSL) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.

FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from Secure FTP, the practice of tunneling FTP through an SSH connection.

Secure command channel

The secure command channel mode can be entered through the issue of either the AUTH TLS or AUTH SSL commands. After such time, all command control between the FTPS client and server are assumed to be encrypted. It is generally advised to enter such a state prior to user authentication and authorization in order to avoid the eavesdropping of user name and password data by third parties.

Secure data channel

The secure data channel can be entered through the issue of the PROT command. It is not enabled by default when the AUTH TLS command is issued. After such time, all data channel communication between the FTPS client and server is assumed to be encrypted.

The FTPS client may exit the secure data channel mode at any time by issuing a CDC (clear data channel) command.

Reasons to disable encryption

It may not be advantageous to use data channel encryption when performing transfers under the following scenarios:

• Files being transferred are of a non-sensitive nature, making encryption unnecessary
• Files being transferred are already encrypted at the file level, making encryption redundant
• Available TLS or SSL encryption modes do not meet desired level of encryption. This is common with older FTPS clients or servers that may have been limited to 40-bit SSL due to previous United States high-encryption export laws.

It may not be advantageous to use control channel encryption under the following scenarios:

• Use of FTPS when the client and/or server resides behind a network firewall or network address translation (NAT) device. (See Firewall Incompatibilities below)
• Repeated use of AUTH and CCC/CDC commands by anonymous FTP clients within the same session. Such behavior can be utilized as a resource-based denial of service attack as the TLS/SSL session must be regenerated each time, utilizing server processor time.

SSL certificates

Much like HTTPS, but unlike SFTP, FTPS servers may provide a public key certificate. These certificates can be created using Unix tools such as OpenSSL's ssl-ca.

This certificate should be signed by a certificate authority, or the FTPS client may generate a warning stating that the certificate is not valid.