📁Security

Sending Sensitive Files: What's Safe and What's Not

Email attachments are not secure. Neither are most file sharing links you send. Here's what actually protects sensitive documents in transit.

6 min readJanuary 20, 2026By FreeToolKit TeamFree to read

Last year I helped a small business review their file sharing practices. They were emailing client financial statements as PDF attachments. To the right clients most of the time. One wrong recipient: never caught, just quietly sitting in the wrong inbox.

Here's what actually matters when you're sending sensitive files.

The Threat Model First

Different threats need different solutions. Most people's actual risks: sending to the wrong person by accident, email account breach, a file link being forwarded or found. Sophisticated attackers intercepting your traffic en route are a concern for journalists and high-risk individuals, not most business users. Match your solution to your actual threat.

Encrypting the File Before Sending

7-Zip can encrypt archives with AES-256. Create a .zip, add a strong password, send the archive via any channel, send the password through a different channel (e.g., file by email, password by text). This is simple, free, and doesn't require the recipient to have special software beyond 7-Zip (free, available everywhere).

The limitation: you still need to securely communicate the password. If you email both the file and the password, you've gained nothing from encrypting.

Better: Send Through Encrypted Channels

Signal handles file sharing up to 100MB with strong end-to-end encryption. If the recipient is on Signal, this is the easiest secure option for individuals. For business use, ProtonDrive and Tresorit offer end-to-end encrypted cloud storage with secure sharing links.

For Business: Control Who Has Access

The most common real-world breach isn't encryption failure — it's 'anyone with the link' settings on Google Drive or Dropbox. Use specific-person sharing, not link sharing, for sensitive files. Set file expiration on shared links when the service supports it. Audit your shared files periodically to revoke access that's no longer needed.

Compress files before sharing →

Frequently Asked Questions

Is email safe for sending sensitive documents?+

Standard email is not encrypted in transit between mail servers in the way most people assume. TLS encryption protects email in transit between servers, but email content is typically stored unencrypted on the server and accessible to email providers. For truly sensitive documents — financial records, legal documents, medical records, personal ID — email is inadequate. The realistic risk for most people isn't government surveillance; it's misconfigured mail servers, email account breaches, and sending to the wrong address. For high-stakes documents, use end-to-end encrypted options like ProtonMail, Signal, or Keybase.

Are Google Drive shared links secure?+

Google Drive links shared as 'Anyone with the link can view' are not secure for sensitive documents. The link can be forwarded, found in browser history, or indexed if someone publicly shares it. For sensitive documents on Google Drive, share only with specific people's email addresses (not general link sharing) and use expiring access. Google Workspace admins can prevent external sharing entirely. For truly confidential documents, Google Drive isn't the right tool — even properly restricted links can be accessed by Google itself for compliance or legal reasons.

What is end-to-end encryption for files?+

End-to-end encryption means the file is encrypted before it leaves your device, remains encrypted in transit and storage, and can only be decrypted by the intended recipient. Even the service hosting the file cannot read its contents. Examples: ProtonDrive encrypts files with keys only you and your recipient hold. Keybase provides end-to-end encrypted file sharing. Bitwarden Send lets you create encrypted file links with optional password and expiration. The main limitation: both sender and recipient need to use a compatible service or the sender must share a decryption key through a separate secure channel.

How should I send someone a password or secret key?+

Never in plaintext email or text message. Use a purpose-built secret sharing tool like One-Time Secret (onetimesecret.com) which creates a link that displays the secret once then destroys it. Send the link through one channel (email) and tell the recipient the link exists through another channel (phone or text). If you must email a password, change it immediately after the recipient has logged in. Password manager sharing features (1Password, Bitwarden) are the most secure option for ongoing secret sharing with trusted recipients.

🔧 Free Tools Used in This Guide

Pdf Compressor Sha256 Hash Generator

FreeToolKit Team

We build free browser-based tools and write practical guides that skip the fluff.

Tags:

securityprivacyfile sharingencryption

Continue Reading

⚠️

Your Data Was Breached. Now What? (An Honest Timeline)

7 min read

🛡️

VPN Privacy Claims: What's True, What's Marketing

7 min read