The baseline alternative — Google Drive, Dropbox, iCloud (without Advanced Data Protection) — stores your files in a form the provider can read. They encrypt data at rest and in transit, but hold the keys themselves. This protects against external attackers breaking into their storage systems, but not against the provider reading your files, complying with data requests, or being compromised in a way that exposes plaintext.
End-to-end encrypted cloud storage uses a different model: your files are encrypted on your device before they're uploaded, with keys that the provider never holds. The server stores ciphertext it cannot read. The critical question is whether this property holds consistently, including for shared files, mobile clients, web browsers, and account recovery paths.
What Zero-Knowledge Architecture Actually Requires
For cloud storage to be genuinely zero-knowledge, three things must be true simultaneously:
- Key derivation happens on the client — your master key is derived from your passphrase locally via a function like PBKDF2 or Argon2. The passphrase itself never reaches the server; neither does the master key. Only a derived authentication credential does.
- File encryption happens on the client — your files are encrypted on your device before upload. The server receives only ciphertext.
- The web client is consistent — if you access the service via a browser, the encryption must still happen client-side. A web client that sends your password to the server and asks the server to decrypt your files is not zero-knowledge, regardless of what the marketing says.
A malicious or compromised web server can serve modified JavaScript to your browser that sends your passphrase or decrypted files to the server before you see them. Even genuinely zero-knowledge services have this attack surface for browser-based access. Native apps reduce — but don't eliminate — this risk by using code you've downloaded rather than code served on demand.
Proton Drive
Proton Drive uses end-to-end encryption with client-side key derivation. The master key is derived from your passphrase using bcrypt, and file keys are hierarchically encrypted under your master key. The cryptographic architecture uses OpenPGP, consistent with ProtonMail's approach, and the source code for the web client and mobile apps is available for review.
Proton has undergone independent security audits (SEC Consult audited their cryptographic implementation; the findings were published). The Swiss jurisdiction provides some legal distance from US and EU government data requests, though as noted in our ProtonMail analysis, Swiss legal process is not an absolute shield.
The sharing model uses encrypted shared links — recipients get a URL containing the decryption key. This means anyone with the link can decrypt the files, and the URL (including the key fragment) may be logged by intermediate systems. Proton allows password-protecting share links, which is worth enabling for sensitive content.
Tresorit
Tresorit is a business-focused E2EE storage provider headquartered in Switzerland. Its cryptographic model uses client-side AES-256 encryption with RSA-4096 for key wrapping. Keys are derived locally; Tresorit's servers store only encrypted data and encrypted key material.
Tresorit has been audited by Ernst & Young (the audit was focused on their zero-knowledge claims, though the full report is not publicly available). The service is designed primarily for enterprise compliance use cases — HIPAA, GDPR, and similar frameworks — and has a strong track record in regulated industries.
The trade-off: Tresorit is more expensive than alternatives and lacks some of the consumer-friendly features of Proton Drive. It does not offer a meaningful free tier. For organizations with compliance requirements and budget, it's a credible choice. For individuals, the price-to-feature ratio is harder to justify.
Filen
Filen is a newer, open-source E2EE storage service operated by a German company (Germany: GDPR jurisdiction). The client-side encryption uses AES-256-GCM with keys derived from the user's password via Argon2. The source code for all clients (web, desktop, mobile) is published on GitHub.
Filen has not yet undergone a comprehensive third-party cryptographic audit, which is a meaningful gap for a service making zero-knowledge claims. The open source code means the implementation can be reviewed, but community review is not a substitute for a professional cryptographic audit. The service is newer and has a smaller user base than alternatives — relevant for assessing long-term viability and the breadth of real-world security testing.
What Filen does well: pricing is competitive, the free tier is generous, and the architecture is technically sound from a code review perspective. For users who want to evaluate the cryptographic implementation themselves, the published source makes that possible.
MEGA
MEGA advertises end-to-end encryption and has done so since its founding. The architecture derives a master key from your password client-side (AES-128 via a custom key derivation), and file encryption happens before upload.
MEGA's privacy posture has complications. The service is headquartered in New Zealand and subject to New Zealand's intelligence-sharing obligations under the Five Eyes agreement. In 2022, MEGA was compelled to provide account data to a foreign government via New Zealand legal process. The content data was encrypted and not accessible, but account metadata was provided. This is the predictable behavior of any service operating under a real legal system.
MEGA's use of AES-128 (rather than AES-256) for key derivation has been criticized by cryptographers, though AES-128 remains computationally secure. Their web client has historically served JavaScript that performs encryption — the same web-client attack surface described above. The service has had security vulnerabilities disclosed by researchers in past years; their response to these disclosures has been mixed.
Comparison at a Glance
| Service | Open Source | Independent Audit | Jurisdiction | Key Derivation | Free Tier |
|---|---|---|---|---|---|
| Proton Drive | ✓ Clients | ✓ SEC Consult | Switzerland | bcrypt + OpenPGP | 1 GB |
| Tresorit | ✗ No | ~ EY (private) | Switzerland | AES-256 + RSA-4096 | None meaningful |
| Filen | ✓ All clients | ✗ Not yet | Germany (GDPR) | AES-256-GCM + Argon2 | 10 GB |
| MEGA | ~ Partial | ✗ No | New Zealand (Five Eyes) | AES-128 (custom) | 20 GB |
| Google Drive | ✗ No | N/A | USA | Provider holds keys | 15 GB |
What E2EE Cloud Storage Doesn't Protect
Even with genuine zero-knowledge encryption, several attack surfaces remain:
- Device compromise — if your laptop or phone is compromised, an attacker can read your files before they're encrypted or after they're decrypted. E2EE protects data in transit and at rest on the server; it doesn't protect a compromised endpoint.
- Filename and metadata — some services encrypt file contents but store filenames or directory structure in plaintext or in a separately accessible form. Check whether your service encrypts metadata, not just content.
- Shared link exposure — sharing a file creates a decryptable URL. If that URL is emailed, texted, or accessed via a browser that logs history, the sharing event creates exposure outside the encrypted storage system.
- Account recovery — services that offer password recovery must store enough information to recover access. If that information can be used to recover your encryption keys, zero-knowledge no longer fully holds. Understand your service's account recovery model before relying on it for sensitive content.
- Passphrase strength — all client-side key derivation systems are as strong as the passphrase used. A weak passphrase can be brute-forced offline if an attacker obtains the encrypted key material.
Zero-knowledge encryption shifts the trust question from the provider to your own device, passphrase, and key management hygiene. That's generally a better position — but it's not a free lunch.
Choosing Based on Threat Model
The right choice depends on what you're protecting against. For most individuals who want protection from corporate data harvesting and third-party legal requests, Proton Drive offers the best combination of audited cryptography, open source clients, and a usable free tier. For regulated enterprises, Tresorit's compliance focus and enterprise tooling are worth the price premium. For technically capable users who want to evaluate the code themselves and don't need a third-party audit label, Filen is worth considering.
For highly sensitive files — legal documents, source material, financial records — supplement cloud storage with local encryption. Encrypting a file with a strong passphrase via GPG or a tool like VeraCrypt before uploading it to any cloud service gives you defense in depth that doesn't depend on the provider's implementation being correct.