File encryption and security FAQs

Yes. In all scenarios, shared files are encrypted in the sharer's browser before they are uploaded. They can only be decrypted in the browser of the recipient, who must have the full sharing link, and the password if one has been set. At all points in-between, including when on our servers, the files are encrypted. We cannot decrypt them.

The keys used to encrypt files are never sent to our servers. They are securely stored in your browser, so that only you can view the details of files or invitations you have already shared. Once a file or invitation is deleted, the keys in your browser are also removed.

As well as file encryption, when you use Hexiosec Transfer your browsing traffic is encrypted using TLS versions 1.2 or 1.3, which is the industry standard.

When using Hexiosec Transfer to send and receive files, including when requesting files, your files are encrypted using AES-256 in Galois Counter Mode (GCM). Encryption key derivation uses PBKDF2 and HKDF. AES key wrap is used to protect your local keys.

When you send file sharing requests, the encryption keys are themselves encrypted using Elliptic Curve Diffie Hellman (ECDH), using NIST curve P-384.

No. Since the file encryption happens in your browser before the files are uploaded, we can't look at their contents. This means we don't check for viruses or malware, so it’s important to check files yourself before you share them. Downloaded files are inspected for viruses by most modern web browsers.

No. Part of the security of Hexiosec Transfer is that the files are ephemeral, which means they only exist for the period of time set by the expiry duration. When sending files, you choose when they expire, and after this time they are deleted from our servers. We don't keep copies of any uploaded files, and we can't decrypt them. For this reason, Hexiosec Transfer should not be used for backup purposes, or for holding the only copy of important files.