I echo BrowserUK's sentiment. Put another way "put your effort into protecting access to the files, not encrypting them". Using linux for an example, you can set the directory permission of the files to only allow read for the owner or group. The 'web-server SSL' user should be the owner. If a hacker can get access as the web-SSL user (or root), then you should be concentrating on improving access security, not download security. If this is a remote-FS issue, ie the web-server mounts the FS where these files reside, and security isn't as good on that file-server, fix the security there.
in reply to Re^4: Encrypt files on server and then decrypt when user downloads
in thread Encrypt files on server and then decrypt when user downloads