Transfer User Guides

How a transfer is sent

4min

When a transfer is sent (file or message), it is encrypted in the senders browser before being uploaded to our servers. With Hexiosec Transfer, transfer files never leave the senders computer unencrypted. After encrypting and uploading is complete, the sender is provided with the option of a download link, code, or QR code that they can share with the recipient.

The sharing link is a single link that contains two parts:

  • the location of the uploaded transfer,
  • the decryption key for them.

The first part is randomly generated, and points to the location of the encrypted files/message on our servers. Randomly generated means no one could guess the location by just trying links. Someone with this part of the link could see that there’s a file on the server but couldn’t decrypt the file, including us.

The second part is the decryption key. Crucially, no-one, including us, can download and decrypt the files without this second part of the link. This decryption key is never sent to us.

Only if someone has the full link can they download and decrypt the file, and only before the link expires. It is important to make sure the link is only sent to the intended recipient.

How is it that I can get a sharing link from Hexiosec Transfer if Hexiosec Transfer's servers don't hold it?

The full sharing link, including the decryption key, is generated and stored locally in the senders browser and never sent to us. If the sender is signed in using the same browser and device used to send the files, then they can view the sharing link previously generated by that browser. The sharing link information seen by the sender is extracted from local storage on their device, not our servers, and is only available from that specific browser and device.

If the sender signs into their Hexiosec Transfer account on a browser or device which is different to the one used to share any files, they will still be able to see all of their active file shares; however, since the local storage of the browser used to originally send the files is not available, the file details, including the sharable link, will be unknown and not available.

Hexiosec Transfer will soon support the optional syncing of this local browser storage between the senders devices, which will allow a sender to access the sharing link/codes from any device. Even in this situation the sharing link will still not be accessible to us.

Can I apply additional controls?

With Hexiosec Transfer additional security controls can be applied when transferring files or messages, or requesting files. The measures available depend on the senders account type (see our pricing page for details), such as being able to set:

  • the number of times a file can be downloaded,
  • how long the file is retained before it expires,
  • an optional password required to decrypt files.
  • verification of the recipient

When the file expires, either because of the duration set or the maximum number of downloads is reached, it is automatically deleted from our servers.

Updated 10 Oct 2024
PREVIOUS
File encryption and security FAQs
NEXT
Limits and features
Docs powered by Archbee