<< Back to tutorials

FTP 101 – Part 11: Implicit vs. Explicit TLS in FTPS

Published {$created} by Carsten Blum


When it comes to encrypted FTP, FTPS offers two connection modes: implicit and explicit TLS. Although they serve the same purpose — encrypting your FTP connection — they work in fundamentally different ways.

In this post, we’ll break down what each means, when to use them, and how ftpGrid ensures all your FTPS connections are secure with valid certificates.



What is FTPS?

FTPS (FTP Secure) enhances classic FTP by adding TLS encryption. This ensures that both your login credentials and your file transfers are encrypted during transmission — a must-have in 2025.

There are two types of FTPS:

Implicit TLS

  • Connection port: 990

  • Encryption starts: Immediately

  • Client behavior: TLS handshake happens right after the TCP connection is established. No FTP commands are sent before encryption.

Pros:

  • Strong guarantee that encryption is always used

  • Simple handshake pattern

Cons:

  • Uses a non-standard port (990), which can cause firewall issues

  • Fewer modern clients support it by default

Explicit TLS (FTPES)

  • Connection port: 21 (same as regular FTP)

  • Encryption starts: After AUTH TLS command

  • Client behavior: Client initiates a standard FTP connection, then upgrades it to TLS

Pros:

  • Firewall-friendly (port 21)

  • More widely supported today

  • Easy to configure in tools like FileZilla

Cons:

  • Relies on the client to correctly request encryption

ftpGrid recommends using Explicit TLS (FTPES) for all encrypted FTP connections.



Certificate handling at ftpGrid

We want to keep things simple and secure — no more outdated self-signed certificates or manual trust exceptions.

Let's Encrypt – built-in and automated

  • All ftpGrid edge servers automatically use Let’s Encrypt to issue and renew valid TLS certificates.

  • Your connection is always encrypted and trusted by clients like FileZilla, Cyberduck, and most FTP libraries.

No more self-signed certificates

  • Self-signed certificates often result in scary warnings.

  • We’ve eliminated the need by automating real, trusted TLS certificates on all secure endpoints.


Summary: Which one should you use?

Mode

Port

Encryption starts

Client support

Recommended

Implicit FTPS

990

Immediately

Rare

No

Explicit FTPS

21

After AUTH TLS

Widespread

Yes


Need help configuring your client?

Use our Quick Start Guide to create your account, add a secure FTP user, and connect using FTPS with just a few clicks.



Signup now
© 2025 ftpGrid

ftpGrid ApS
Branebjerg 24
DK-5471
Gamby
Denmark

Looking for an all-in-one time tracking, timesheet, and invoicing solution - visit our sister company Nureti at https://nureti.com.