🔑 Introduction
Imagine sealing a letter inside a locked safe before sending it — even if someone grabs it, they can’t read what’s inside.
That’s exactly what encryption brings to file transfers.
In the previous parts of this series, we’ve built a foundation for trustworthy file transfers:
- ✅ SHA-256 Checksums → detect accidental corruption.
- ✅ HMAC-SHA256 → ensure integrity + authenticity with a shared secret.
- ✅ Digital Signatures → verify authenticity using public/private keys. So far, we’ve made sure files can’t be tampered with or forged. But here’s the missing piece: what if someone intercepts the transfer and simply reads the file’s contents?
That’s where confidentiality comes in.
Think of it this way:
- AES encryption is like putting your file inside a bank vault — only someone with the right key can open it.
- Integrity checks act like a tamper-evident seal on that vault — if someone even tries to mess with it, you’ll know immediately.
In this part, we’ll explore AES (Advanced Encryption Standard) — a fast and secure encryption method — and show how to combine it with integrity checks so your files remain both private and trusted end-to-end.
What is AES? (The Friendly Version)
Think of AES (Advanced Encryption Standard) as a super-secure lockbox for your files.
When you put a file inside this lockbox, it scrambles everything into unreadable gibberish — so if someone intercepts it, all they see is nonsense.
The only way to open this lockbox is with the right secret key — just like a password. Without it, even the smartest hacker with the fastest computer would need billions of years to figure it out.
That’s why AES is trusted worldwide: it’s not only fast and efficient, but also virtually unbreakable for protecting sensitive information. From online banking to cloud storage to secure messaging apps, AES is everywhere behind the scenes keeping data safe.
In technical words
- AES (Advanced Encryption Standard) is a symmetric-key algorithm, meaning the same key is used for encryption and decryption.
- It’s fast, secure, and widely used in banking, cloud storage, and enterprise systems.
- Key sizes: 128, 192, or 256 bits. Most systems use AES-256 for stronger security.
How AES Fits in File Transfers
- Sender encrypts the file using AES with a secret key.
- The encrypted file is transmitted.
- Along with the encrypted file, the sender computes an integrity check (like HMAC-SHA256) of the ciphertext.
- Receiver decrypts using the same AES key and verifies the integrity before trusting the file.
This ensures:
- No one can read the file during transfer.
- No one can tamper with it undetected.
Python Sample Code
Encrypting a File
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
import os
def encrypt_file(file_path, encrypted_file_path, key, iv):
# Read File Data
with open(file_path, 'rb') as fin:
data = fin.read()
# Pad the Data (AES needs data in blocks)
padder = padding.PKCS7(128).padder() # 128-bit AES Block Size
padded_data = padder.update(data) + padder.finalize()
# Create AES Cipher in CBC Mode
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
# Encrypt the data
encrypted_data = encryptor.update(padded_data) + encryptor.finalize()
# Write IV + Encrypted Data to the Output File
with open(encrypted_file_path, 'wb') as fout:
fout.write(iv + encrypted_data)
print("Encrypted file saved to {}".format(encrypted_file_path))
if __name__ == '__main__':
# Generate a random AES key (256-bit for strong encryption)
key = os.urandom(32) # 32 bytes = 256-bits
# Generate a random Initialization Vector (IV) for CBC Mode
iv = os.urandom(16) # 16 bytes for AES Block Size
# Provide the Input File and Output File Paths
file_path = 'sample.txt'
output_file_path = 'sample.txt.enc'
encrypt_file(file_path, output_file_path, key, iv)
Key Notes:
- We generate a random 256-bit AES key and a 16-byte IV.
- The file data is padded so it fits into AES blocks.
- The IV is written at the start of the encrypted file — you’ll need it for decryption.
- The key must be stored securely (e.g., in a key vault, environment variable, or securely shared).
Decrypting a File
def decrypt_file(encrypted_file_path, output_file_path, key):
# Read IV + Encrypted Data
with open(encrypted_file_path, 'rb') as fin:
data = fin.read()
iv = data[:16] # First 16 bytes is IV
encrypted_data = data[16:]
# Create AES Cipher with the same Key and IV
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
decryptor = cipher.decryptor()
# Decrypt Data
decrypted_padded = decryptor.update(encrypted_data) + decryptor.finalize()
# Remove Padding
padder = padding.PKCS7(128).padder()
decrypted_data = padder.update(decrypted_padded) + padder.finalize()
# Write the Original File
with open(output_file_path, 'wb') as fout:
fout.write(decrypted_data)
print("Successfully decrypted file")
How it works:
- Encryption
- File → Pad → Encrypt (AES CBC) → Write [IV + Ciphertext].
- Decryption
- Read IV (first 16 bytes).
- Use same AES key + IV.
- Decrypt → Remove padding → Write original file.
Once the file is decrypted, the next step is ensuring integrity. There are multiple ways to do this — from simple hashes to advanced digital signatures. Curious to learn how?
Check out my earlier blog posts in this series on SHA-256, HMAC, and Digital Signatures to see these approaches in action.
Pros and Cons of AES in File Transfers
Pros:
- Strong confidentiality (keeps file content secret)
- Fast and efficient (especially on large files)
- Widely supported and trusted
Cons:
- Requires secure key exchange between sender & receiver
- Both systems must manage keys carefully (risk of compromise)
- Symmetric — not ideal for multi-party distribution without extra layers
Where is this useful?
Think of AES encryption with integrity checks as sending a locked vault with a tamper-proof seal:
- Internal file transfers within banks or enterprises → Just like how a bank moves money in armored trucks, files (like transaction records) need both protection (encryption) and proof that no one opened the truck on the way (integrity check).
- Healthcare systems exchanging patient data → Similar to how hospitals use sealed envelopes for sensitive test results, AES ensures the content stays private, while integrity checks prove nothing was swapped inside.
- Software distribution → Like buying a medicine bottle that’s shrink-wrapped: encryption protects the contents, while integrity ensures no one tampered with the medicine before it reached you.
- Government or defense communications → Comparable to sending secret orders in a locked briefcase with a wax seal; AES locks it tight, and integrity checks are the seal that shows whether it was broken.
In short, AES with integrity checks is valuable anywhere you need to keep files private AND prove they haven’t been altered.
Conclusion
With AES, we’ve taken a major leap: not only do we lock files away with encryption, but we also seal them with integrity checks so that tampering can’t go unnoticed. It’s like sending a package in a vault that only the receiver can open — and if someone tries to meddle with it, the broken seal tells the story.
But here’s the exciting part: this is just the beginning.
So far, we’ve built our security journey step by step — from basic checksums to HMAC secrets, then into the realm of digital signatures, and now AES-powered encryption with integrity. Each step has been a new layer of defense.
In the next stage, we’ll go beyond theory and start stitching these building blocks together — exploring end-to-end secure file transfer pipelines, hybrid encryption models, and how these approaches scale in real-world enterprise systems.
Stay tuned — because the real magic happens when all these pieces come together.
The sample codes can be found in my Github.
Top comments (0)