FTP 101 – Part 11: Implicit vs. Explicit TLS in FTPS
Published {$created} by Carsten Blum
When it comes to encrypted FTP, FTPS offers two connection modes: implicit and explicit TLS. Although they serve the same purpose — encrypting your FTP connection — they work in fundamentally different ways.
In this post, we’ll break down what each means, when to use them, and how ftpGrid ensures all your FTPS connections are secure with valid certificates.
What is FTPS?
FTPS (FTP Secure) enhances classic FTP by adding TLS encryption. This ensures that both your login credentials and your file transfers are encrypted during transmission — a must-have in 2025.
There are two types of FTPS:
Implicit TLS
Connection port: 990
Encryption starts: Immediately
Client behavior: TLS handshake happens right after the TCP connection is established. No FTP commands are sent before encryption.
Pros:
Strong guarantee that encryption is always used
Simple handshake pattern
Cons:
Uses a non-standard port (990), which can cause firewall issues
Fewer modern clients support it by default
Explicit TLS (FTPES)
Connection port: 21 (same as regular FTP)
Encryption starts: After AUTH TLS command
Client behavior: Client initiates a standard FTP connection, then upgrades it to TLS
Pros:
Firewall-friendly (port 21)
More widely supported today
Easy to configure in tools like FileZilla
Cons:
Relies on the client to correctly request encryption
ftpGrid recommends using Explicit TLS (FTPES) for all encrypted FTP connections.
Certificate handling at ftpGrid
We want to keep things simple and secure — no more outdated self-signed certificates or manual trust exceptions.
Let's Encrypt – built-in and automated
All ftpGrid edge servers automatically use Let’s Encrypt to issue and renew valid TLS certificates.
Your connection is always encrypted and trusted by clients like FileZilla, Cyberduck, and most FTP libraries.
No more self-signed certificates
Self-signed certificates often result in scary warnings.
We’ve eliminated the need by automating real, trusted TLS certificates on all secure endpoints.
Summary: Which one should you use?
Mode | Port | Encryption starts | Client support | Recommended |
---|---|---|---|---|
Implicit FTPS | 990 | Immediately | Rare | No |
Explicit FTPS | 21 | After AUTH TLS | Widespread | Yes |
Need help configuring your client?
Use our Quick Start Guide to create your account, add a secure FTP user, and connect using FTPS with just a few clicks.