SecurityHow ExpanDrive handles your data

Security at the desktop layer, done right.

TLS in transit. Credentials in the OS keychain, never on disk in plaintext. OAuth flows that run end-to-end through your provider — ExpanDrive never sees your password. The desktop tool sits between your machine and your cloud, and we built it so the cloud's security posture is the security posture.

Upgrade if you're running an older version of ExpanDrive

When Files.com took over engineering and support for ExpanDrive during the 2024-2025 transition, we identified serious security issues in older versions of the software. The current release on every supported platform fixes them. If you are on an older ExpanDrive build, upgrade now download the latest version and reinstall.

ExpanDrive is free for personal use and free for teams up to 10 users on the current release. If you need ExpanDrive Server Edition, or you have more than 10 users or devices in your company, the upgrade requires a Business or Enterprise subscription. The free tier still covers individuals and small teams. Either way, get on the current build.

— The three pillars

Encryption, credentials, identity. Done the boring way.

ExpanDrive is a desktop tool. The security work is making sure the tool doesn't introduce new risk between your machine and the cloud — that the cloud's security posture is what you get. Three things matter most.

TLS in transit.

Every connection ExpanDrive makes — to Amazon S3, to Google Drive, to OneDrive, to SharePoint, to any SFTP / WebDAV / FTPS endpoint — runs over TLS. Connections to the cloud provider are encrypted by the protocol, and ExpanDrive uses the provider's native API endpoints with their certificate-pinned chains. We don't terminate or proxy traffic through our infrastructure.

Credentials live in the OS keychain.

Passwords, SSH keys, and OAuth tokens are stored on your machine — in the macOS Keychain, the Windows Credential Vault, or the equivalent system credential store on Linux. They are never written to a plaintext file on disk, and they are never transmitted to ExpanDrive's servers. The credential store is the same hardened OS facility that holds your browser passwords and your iCloud / Microsoft account tokens.

OAuth: we never see your password.

For Google Drive, OneDrive, SharePoint, Box, Dropbox, and other modern providers, ExpanDrive uses OAuth 2.0. An embedded browser connects you directly to the provider's own sign-in page. You authenticate with the provider, the provider issues a scoped token to ExpanDrive, and the token lands in your OS keychain. The ExpanDrive app never sees your password, and your MFA / SSO flows (Okta, Entra ID, ADFS, Duo, Google Workspace SSO) run end-to-end with no special configuration on our side.

— The exception

Plain FTP is not encrypted. Use FTPS or SFTP instead.

ExpanDrive supports plain FTP because some legacy partner endpoints still require it. If your server speaks anything else, use it.

Plain FTP transmits credentials and file content in the clear. The protocol predates TLS by a decade and there is no in-band way to encrypt it. ExpanDrive uses FTP as the server requires — if the server supports FTPS (FTP over TLS) or SFTP (SSH transport), those are the right configurations for anything sensitive. The Files.com SFTP integration page covers how to set up SFTP correctly, including key-based auth and SSH agent forwarding.

If you have to use plain FTP — because a partner's server requires it — run it over a VPN or other transport-layer encryption. Don't put a plain-FTP endpoint on the public internet for anything you wouldn't put on a postcard.

— Common questions

Security questions we hear a lot.

Credential storage, OAuth, Server Edition, and what to do if you're on an old build.

No. ExpanDrive 7 stores all credentials on your local machine in the OS keychain (macOS Keychain, Windows Credential Vault, or the system credential store on Linux). We don't have a server-side credential store, and we don't transmit your passwords or OAuth tokens off your device. A future web client (planned for 2026) will change this for the web-only path; when it ships, we'll provide clear notice and the desktop app's local-credential model will remain available.

ExpanDrive is built by Files.com.

The cloud connectors mounting your drive on macOS, Windows, and Linux are the same ones that run on Files.com's high-performance cloud File Orchestration Platform — used by 4,000+ businesses including Equifax, Rag & Bone, Cognizant, and Michelin, where petabytes of data move every month.

Visit Files.com

On the current build? Stay there.

ExpanDrive 7 is the current release line. Free for personal use, free for teams up to 10 users. Upgrade older versions if you haven't already.

Download the latest versionSee pricing