SSH encrypts all data that goes from the client to the server. Encryption can be disabled but it is not recommended.

The SSH specification allows, at the preference of both server and client to select an algorithm among a list of several supported ones. The specification marks some algorithms as 'required' to insure that any client can connect to any server.

Examples of encryption algorithm names for SSH are 'aes128-cbc', '3des-cbc'.

The currently active algorithm is the one that was negotiated between the client and the server during Connect(). That negociation is part of what is called 'key exchange'.

While the value should remain constant throughout the entire connection, it might change during what is called 'key re-exchange'. This usually happens after 1GB of data is exchanged or after each hour of connection time, whichever comes sooner. Typically, even after key re-exchange, the encryption and other parameters remain the same unless the configuration was changed on the server or on the SSHClient object.

If the client is not connected, the value is an empty string.

.NET: net5.0, net5.0-windows, net6.0, net6.0-macos, net6.0-windows, net7.0, net7.0-macos, net7.0-windows, net8.0, net8.0-browser, net8.0-macos, net8.0-windows, net9.0, net9.0-browser, net9.0-macos, net9.0-windows, net10.0, net10.0-browser, net10.0-macos, net10.0-windows.

.NET Standard: netstandard2.0, netstandard2.1

.NET Framework: net20, net35, net40, net403, net45, net451, net452, net46, net461, net462, net463, net47, net471, net472, net48, net481.

Reference

SSHClient Class
SSHClient Members