What Does FTPS Mean?
Also known as: FTP Secure, FTP-SSL, FTPS, FTP over TLS
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
FTPS, or File Transfer Protocol Secure, is an extension of the standard File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), cryptographic protocols. Unlike plain FTP, which transmits data and authentication credentials in cleartext, FTPS encrypts the control channel (commands and login information) and optionally the data channel, ensuring confidentiality and integrity during file transfers. It was developed to address the security shortcomings of FTP while maintaining compatibility with existing FTP infrastructure and workflows. FTPS operates by wrapping FTP traffic within a TLS/SSL tunnel, typically using port 990 for implicit FTPS (where the TLS handshake occurs immediately upon connection) or port 21 for explicit FTPS (where the client requests encryption via the AUTH TLS command). Its existence is driven by the need for a secure, standards-based file transfer protocol that leverages widely deployed encryption technologies without requiring a complete overhaul of FTP-based systems.
Must Know for Exams
On the CompTIA Network+ exam (N10-008 or N10-009), FTPS is tested under Objective 1.3 (Explain the concepts and characteristics of routing and switching) and Objective 3.1 (Explain the purpose and properties of network services and protocols).
Specifically, exam candidates must be able to: (1) Differentiate FTPS from SFTP and HTTPS—a frequent point of confusion. FTPS uses TLS/SSL over FTP, while SFTP uses SSH. (2) Identify the default ports: implicit FTPS uses port 990 (control) and 989 (data); explicit FTPS uses port 21.
(3) Understand the two modes of operation (implicit vs. explicit) and when each is used. (4) Recognize that FTPS encrypts both the control and data channels (when configured for private data channel).
(5) Know that FTPS relies on X.509 certificates for server authentication. (6) Understand the implications for firewall rules: because FTPS uses separate control and data connections (especially in active mode), it may require additional port ranges to be opened.
(7) Compare FTPS to other secure file transfer methods like SFTP and HTTPS-based file transfer. The exam may present scenario-based questions where a company needs to securely transfer files but must maintain compatibility with existing FTP scripts—FTPS would be the correct choice. Candidates should also be aware that FTPS is sometimes called FTP-SSL or FTP over TLS.
Simple Meaning
Imagine you are sending a confidential letter through a courier service. With standard FTP, you hand the letter to the courier in a clear, unsealed envelope—anyone along the route can read the contents and even see your return address. FTPS is like placing that same letter inside a locked, tamper-proof briefcase before handing it to the courier.
Only the intended recipient has the key to open the briefcase. Even if someone intercepts the briefcase, they cannot read the letter or see your address. Additionally, the courier themselves might only be allowed to see the delivery address after proving their identity.
This is analogous to FTPS encrypting both the commands (like login credentials) and the data being transferred. The 'secure' part comes from the TLS/SSL encryption, which ensures that even on an untrusted network (like public Wi-Fi), your file transfer remains private and unaltered.
Full Technical Definition
FTPS (File Transfer Protocol Secure) is a network protocol that extends the standard FTP (defined in RFC 959) by adding support for TLS (RFC 5246) and SSL (deprecated but historically relevant) encryption. It operates primarily at the Application Layer (Layer 7) of the OSI model, but relies on the Transport Layer (Layer 4) for secure connections via TCP. There are two distinct modes of FTPS: Implicit FTPS and Explicit FTPS.
Implicit FTPS (historically defined in RFC 2228, though now deprecated) assumes that the entire session must be encrypted from the start. The client connects to a dedicated port (typically 990 for control, 989 for data) and immediately initiates a TLS handshake. If the server does not receive a TLS ClientHello, the connection is dropped.
Explicit FTPS (also called FTPES) uses the standard FTP port 21. The client connects in plaintext initially, then issues the 'AUTH TLS' or 'AUTH SSL' command to request encryption. Once the server acknowledges and the TLS handshake completes, the rest of the session (including authentication and data transfer) is encrypted.
FTPS supports two data channel protection levels: 'P' (Private) where the data channel is encrypted, and 'C' (Clear) where it is not. The PROT command controls this. FTPS also supports certificate-based authentication, where the server presents an X.
509 certificate that the client validates. Compared to SFTP (SSH File Transfer Protocol), which is a completely different protocol running over SSH (port 22), FTPS is an extension of FTP and thus inherits its dual-connection architecture (control and data channels). This can complicate firewall configurations, especially in active mode where the server initiates a data connection back to the client.
FTPS is widely supported by legacy systems and is often chosen for its compatibility with existing FTP-based automation scripts.
Real-Life Example
A healthcare organization, MedData Inc., needs to transmit daily patient records (including PHI) from its regional clinics to a central data center. The compliance officer mandates encryption for all data in transit to meet HIPAA requirements.
The IT team configures an FTPS server at the data center using implicit mode on port 990. Each clinic runs a scheduled task that uses an FTPS client (e.g., WinSCP) to connect to the server.
The connection begins with a TLS handshake where the server presents its certificate, which the client validates against a trusted CA. After authentication using a username and password (now encrypted), the client uploads CSV files containing patient data. The data channel is also encrypted (PROT P).
One day, a network administrator captures packets on the clinic's LAN using Wireshark. They observe that the initial TCP handshake is visible, but immediately after, all subsequent packets are TLS-encrypted, revealing only the server IP and port. The actual file contents and login credentials remain hidden.
This setup ensures that even if the clinic's network is compromised, patient data remains confidential.
Why This Term Matters
Understanding FTPS is critical for IT professionals because it represents a common, standards-based solution for securing legacy FTP infrastructure. Many enterprises still rely on FTP for automated file transfers (e.g.
, EDI, batch processing, log shipping), and migrating to a completely different protocol like SFTP can be costly and disruptive. FTPS allows these organizations to add encryption without rewriting scripts or replacing servers. From a troubleshooting perspective, knowing the difference between implicit and explicit modes, and the associated port numbers (990 vs 21), is essential for configuring firewalls and NAT rules correctly.
Misconfigurations can lead to connectivity failures or, worse, data leaks. On the career front, proficiency in FTPS demonstrates a practical understanding of network security, TLS handshake mechanics, and application-layer protocols—skills highly valued in roles like network administrator, security analyst, and systems engineer. It also appears on vendor-neutral certifications like CompTIA Network+, making it a foundational concept for career advancement.
How It Appears in Exam Questions
FTPS appears in Network+ exam questions in several distinct patterns. Pattern 1: Port identification. The question stem describes a scenario where a technician needs to configure a firewall for secure FTP using implicit mode.
The correct answer is port 990. Distractors often include port 22 (SFTP), port 443 (HTTPS), or port 21 (explicit FTPS or plain FTP). Pattern 2: Protocol comparison. A question asks which secure file transfer protocol uses TLS/SSL.
The correct answer is FTPS. Wrong answers include SFTP (uses SSH), SCP (uses SSH), and HTTPS (uses TLS but for web traffic). Pattern 3: Mode selection. The scenario describes a client that connects to a server and issues an AUTH TLS command.
The question asks what type of FTPS this is. The correct answer is explicit FTPS (or FTPES). Distractors include implicit FTPS, passive FTP, or active FTP. Pattern 4: Security property.
A question asks which protocol encrypts both the control and data channels. The correct answer is FTPS (when PROT P is used). Distractors might include SFTP (which encrypts everything over a single SSH channel) or HTTPS.
To identify the correct answer, focus on keywords: 'TLS', 'SSL', 'port 990', 'AUTH TLS', and 'certificate'. If the question mentions 'SSH', it is not FTPS.
Practise FTPS Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: A small business owner needs to upload weekly sales reports to a cloud storage provider that supports FTPS. Step 1: The owner opens an FTPS client (e.g., FileZilla) and enters the server address (ftp.
example.com), username, and password. Step 2: The client connects to the server on port 21 (explicit FTPS). Step 3: The client sends an 'AUTH TLS' command to request encryption. Step 4: The server responds with a 234 code indicating acceptance, and a TLS handshake begins.
The server presents its digital certificate. Step 5: The client validates the certificate (checks expiration, issuer, and hostname match). Step 6: After validation, the client sends the username and password—now encrypted.
Step 7: The server authenticates the user and opens an encrypted data channel (PROT P). Step 8: The owner selects the sales report file and clicks upload. The file is transferred securely.
Step 9: The client disconnects. The entire transfer is protected from eavesdropping.
Common Mistakes
Students think FTPS and SFTP are the same protocol because both are 'secure FTP'.
FTPS uses TLS/SSL to encrypt FTP, while SFTP is a completely different protocol that runs over SSH (port 22). They are not interchangeable and have different architectures, ports, and security models.
Remember: FTPS = FTP + TLS/SSL; SFTP = SSH File Transfer Protocol. If it uses SSH, it's not FTPS.
Students believe that explicit FTPS always uses port 990.
Explicit FTPS uses port 21 (the standard FTP port) and upgrades to encryption via AUTH TLS. Port 990 is reserved for implicit FTPS, where encryption is mandatory from the start.
Implicit = port 990 (encryption from the start). Explicit = port 21 (upgrade via AUTH TLS).
Students think FTPS encrypts only the control channel by default.
While FTPS can encrypt just the control channel, the data channel can also be encrypted using the PROT P command. For full security, both channels should be encrypted. The exam expects you to know that FTPS can encrypt both.
FTPS can encrypt both control and data channels. Use PROT P for private data channel. Don't assume only control is encrypted.
Exam Trap — Don't Get Fooled
{"trap":"The most dangerous trap: A question asks 'Which protocol uses port 22 for secure file transfer?' and candidates select FTPS because they confuse it with SFTP. The correct answer is SFTP, not FTPS."
,"why_learners_choose_it":"Learners often memorize that 'secure FTP' uses encryption but fail to distinguish between TLS/SSL-based FTPS and SSH-based SFTP. The term 'secure file transfer' is ambiguous, and port 22 is strongly associated with SSH, but if a student only remembers 'FTPS = secure', they pick the wrong answer.","how_to_avoid_it":"Always associate port numbers with the underlying encryption: port 22 = SSH = SFTP; port 990 = TLS/SSL = FTPS (implicit); port 21 = FTPS (explicit) or plain FTP.
If you see 'SSH' in the question, it's not FTPS."
Commonly Confused With
FTPS uses TLS/SSL to encrypt FTP traffic, operating on ports 21/990. SFTP is a separate protocol that runs over SSH (port 22) and uses a single connection for both control and data. FTPS inherits FTP's dual-connection model; SFTP does not.
Use FTPS when you need to secure an existing FTP server without changing the protocol; use SFTP when you need a simpler firewall configuration and already have SSH access.
HTTPS is HTTP over TLS/SSL, used for web traffic (port 443). FTPS is FTP over TLS/SSL, used for file transfers (ports 21/990). Both use TLS, but they are different application-layer protocols with different purposes and default ports.
Use HTTPS to browse a website securely; use FTPS to upload a file to an FTP server securely.
Step-by-Step Breakdown
Step 1: TCP Connection Establishment
The FTPS client initiates a TCP connection to the server. For implicit FTPS, this is to port 990; for explicit FTPS, to port 21. The three-way handshake completes, establishing a reliable connection.
Step 2: TLS Handshake (Implicit) or AUTH TLS (Explicit)
For implicit FTPS, the client immediately starts a TLS handshake (ClientHello). For explicit FTPS, the client sends an 'AUTH TLS' command; the server responds with '234 AUTH TLS OK', then the TLS handshake begins.
Step 3: Certificate Exchange and Validation
The server sends its X.509 certificate. The client validates the certificate (checks expiration, issuer, hostname). Optionally, the client may also present a certificate for mutual authentication.
Step 4: Encrypted Authentication
After the TLS session is established, the client sends the USER and PASS commands. These are now encrypted within the TLS tunnel, protecting the credentials from eavesdropping.
Step 5: Encrypted Data Transfer
The client requests a data transfer (e.g., STOR for upload). The data channel is established, either in active or passive mode, and is also encrypted (if PROT P was issued). The file is transferred securely.
Practical Mini-Lesson
FTPS (File Transfer Protocol Secure) is a network protocol that adds TLS/SSL encryption to the classic FTP protocol. The core concept is simple: FTP was designed in an era when networks were trusted, so it sends everything—including usernames, passwords, and file contents—in plaintext. FTPS wraps this traffic in a TLS/SSL tunnel, making it unreadable to anyone intercepting the packets.
How it works: There are two modes. Implicit FTPS requires encryption from the moment the TCP connection is established. The client connects to port 990 and immediately starts a TLS handshake.
If the server doesn't receive a TLS ClientHello, it drops the connection. Explicit FTPS (FTPES) starts as a standard FTP connection on port 21. The client then sends an 'AUTH TLS' command to upgrade the connection to encrypted.
This is more flexible and is the modern standard. Comparison to similar technologies: SFTP (SSH File Transfer Protocol) is often confused with FTPS. SFTP is a completely different protocol that runs over SSH (port 22).
It uses a single connection for both control and data, making firewall configuration simpler. FTPS, on the other hand, inherits FTP's dual-connection architecture, which can be problematic in active mode where the server initiates a data connection back to the client. This requires opening additional ports on firewalls.
Configuration notes: For FTPS, you typically need to install a TLS certificate on the server. Clients must trust the CA that issued the certificate or accept a self-signed certificate (with a warning). In passive mode (PASV), the client initiates both control and data connections, which is firewall-friendly.
Key takeaway: FTPS is the best choice when you need to secure an existing FTP infrastructure without migrating to a different protocol. Remember: FTPS = FTP + TLS/SSL. If you see 'AUTH TLS', it's explicit FTPS.
If you see port 990, it's implicit FTPS.
Memory Tip
Memory trick: 'FTPS' = 'FTP with a S' (Secure). Think of the 'S' as a shield. The shield is made of TLS/SSL. Port 990 = '9-9-0' sounds like 'nine-nine-oh' which you can remember as 'nine-nine-oh, it's implicit, you know!' For explicit, remember 'AUTH TLS' = 'Auth to TLS'—the client asks permission to encrypt.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
Frequently Asked Questions
What is the difference between implicit and explicit FTPS?
Implicit FTPS requires encryption from the moment the TCP connection is established, typically on port 990. The client must start a TLS handshake immediately. Explicit FTPS (FTPES) starts as plain FTP on port 21, then the client sends an 'AUTH TLS' command to upgrade to encryption. Explicit is more flexible and is the modern standard.
Is FTPS more secure than SFTP?
Both are secure when properly configured, but they use different encryption methods. FTPS uses TLS/SSL, which is widely used for web security. SFTP uses SSH. FTPS can be more complex to configure due to its dual-connection architecture, especially with firewalls. SFTP is simpler in that regard. Neither is inherently 'more secure'; it depends on implementation.
Can FTPS use the same port as regular FTP?
Yes, explicit FTPS uses port 21, the same as plain FTP. The encryption is negotiated after the connection is established. Implicit FTPS uses a different port (990) to indicate that encryption is mandatory. This is a common point of confusion on exams.
Do I need a certificate for FTPS?
Yes, the FTPS server must present a TLS/SSL certificate to the client during the handshake. This certificate can be self-signed or issued by a trusted CA. Clients may warn if the certificate is self-signed or expired. For mutual authentication, the client may also need a certificate.
When should I choose FTPS over SFTP?
Choose FTPS when you need to secure an existing FTP infrastructure without changing the protocol, or when compatibility with legacy systems that only support FTP is required. Choose SFTP when you need a simpler firewall configuration (single port 22) or when you already have SSH access to the server.
Summary
1. FTPS (File Transfer Protocol Secure) is FTP wrapped in TLS/SSL encryption, protecting both login credentials and file data from eavesdropping and tampering. 2. It operates in two modes: implicit (always encrypted, port 990) and explicit (starts plaintext, upgrades via AUTH TLS, port 21).
The data channel can also be encrypted using PROT P. 3. For the Network+ exam, remember: FTPS uses TLS/SSL (not SSH), implicit uses port 990, explicit uses port 21 with AUTH TLS, and it is the go-to choice when you need to secure legacy FTP without changing the underlying protocol.
Do not confuse it with SFTP (which uses SSH).