Photos & files

Share files without handing over the keys

How to send files so that only your recipient can open them, using end-to-end encrypted sharing, expiring links, peer-to-peer transfer, and encrypt-before-upload tools.

Published

Sending a file through email or a typical cloud link often means the service in the middle can read what you send, keep a copy, and hand it over if asked. If the file is a private photo, a scanned document, or anything personal, that matters. This guide covers ways to share files so that only the person you choose can open them, from easy encrypted links to peer-to-peer transfers that touch no company’s servers at all.

What “handing over the keys” means

When a file is encrypted, it is scrambled with a key. The question is who holds that key. With most mainstream file-sharing, the provider holds it, so it can decrypt and read your file. With end-to-end encryption (E2EE), the file is scrambled on your device and can only be unscrambled by the recipient, so the service transporting it never has a readable copy. Choosing E2EE tools, or encrypting files yourself before upload, keeps the key out of the provider’s hands.

Two features make shared links safer regardless of the tool: a password on the link, and an expiry date so the link stops working after a set time.

Proton Drive is an end-to-end encrypted cloud storage service. When you share a file or folder, the link is protected by the same encryption, and you can add controls:

  1. Right-click the file and choose to share it via a link.
  2. Enable Require password and set a strong password.
  3. Enable Set expiration date and choose when the link should stop working.
  4. Save, then send the link and the password through separate channels (for example, the link by email and the password by a messaging app).

As of July 2026, password protection and expiry dates are available on Proton Drive shared links, including on free accounts. Because the encryption is end-to-end, Proton itself cannot read the file’s contents.

Tresorit Send: quick encrypted transfers, no account needed

For a one-off transfer, Tresorit Send is a free service that encrypts files in your browser before they upload. As of July 2026 it lets anyone (no account required) send up to 5 GB per transfer, up to 100 files at a time, with AES-256 client-side encryption. You can set a password, an expiry date, and a limit on how many times the link can be opened (up to 10 downloads per file), and you can revoke a link at any time. Files and their metadata are deleted 14 days after the link expires. This is a good fit when you want strong encryption without asking your recipient to install anything.

OnionShare: send directly, with no company in the middle

OnionShare is free, open-source software that shares files directly from your computer to your recipient over the Tor network, with no third-party service storing anything. It works by turning your own computer into a temporary, private web server reachable only through a hard-to-guess Tor address.

How a send works:

  1. Open OnionShare and start a Share tab, then drag in your files.
  2. Click Start sharing. OnionShare gives you an unguessable web address (and a key).
  3. Send that address to your recipient, who opens it in Tor Browser to download.

Because your computer is the server, no company (not even OnionShare’s developers) can access the files, and Tor hides both ends’ network identity. The trade-offs: your computer must stay on and connected while the transfer happens, and your recipient needs Tor Browser. OnionShare can also receive files from others and host a simple site, but sending is the most common use. It is one of the most private ways to move a file between two people.

Cryptomator: encrypt before it reaches any cloud

If you want to keep using a cloud service you already have (Google Drive, Dropbox, OneDrive, iCloud) but stop the provider from reading your files, Cryptomator is a free, open-source tool that encrypts files on your device before they sync.

You create a vault, which is a password-protected encrypted folder that lives inside your cloud folder. Cryptomator presents the vault to you as a normal drive; anything you drop in is automatically encrypted with AES-256, including the file names. The cloud provider only ever stores the scrambled version. To share, you would give a trusted recipient the vault and its password, so this suits files you sync and access yourself, or share with someone you can hand a password to securely. Cryptomator runs on Windows, macOS, Linux, Android, and iOS.

Fallback: password-protect a file yourself

When you cannot use any of the above, you can encrypt a file into a password-protected archive and send that archive through ordinary channels. Two reliable options as of July 2026:

  • 7-Zip (free, Windows/Linux; p7zip on macOS): create an archive in the .7z format, which uses AES-256 by default. Set a strong password, and turn on Encrypt file names (the header-encryption option) so the list of files inside stays hidden until the password is entered. Avoid the old ZIP “ZipCrypto” method, which is weak.
  • age (free, cross-platform): a modern, simple command-line encryption tool. It can encrypt a file with a passphrase or with a recipient’s public key, producing a single encrypted file you can send anywhere.

With either tool, share the password or passphrase through a different channel than the file itself, and never in the same email. Your recipient will need matching software to open the result.

Choosing quickly

  • Easiest encrypted link: Tresorit Send, or Proton Drive if you already use it.
  • Most private, no third party: OnionShare over Tor.
  • Keep your existing cloud but lock it: Cryptomator.
  • No special service available: a password-protected .7z archive or an age-encrypted file, with the password sent separately.

For encrypted storage rather than one-off sharing, see Choose cloud storage that can’t read your files and the photos hub.

Quick checklist

  • Prefer end-to-end encrypted sharing so the service in the middle cannot read your file.
  • Add a password and an expiry date to any share link, and send the password through a separate channel.
  • Use Tresorit Send or Proton Drive for easy encrypted links (up to 5 GB, no account needed with Send).
  • Use OnionShare over Tor when you want no company storing anything at all.
  • Use Cryptomator to encrypt files before they reach Google Drive, Dropbox, or iCloud.
  • As a fallback, wrap files in a password-protected .7z (AES-256) archive or encrypt with age.

Sources

  1. proton.me https://proton.me/support/password-protect-files-proton-drive
  2. send.tresorit.com https://send.tresorit.com/
  3. onionshare.org https://onionshare.org/
  4. cryptomator.org https://cryptomator.org/
  5. redhat.com https://www.redhat.com/en/blog/encrypting-decrypting-7zip
  6. github.com https://github.com/FiloSottile/age

Last reviewed: