Avoid The Hack: 5 Best Secure Cloud Storage Providers

While convenient, many of the most well-known and popular cloud storage providers have direct access to your files – in some cases, third-parties may have access to your files as well.

Encrypted cloud storage providers respect user privacy and use zero knowledge end-to-end encryption implementations to secure user data and to uphold promises of respecting user privacy.

Proton is an encrypted cloud storage provider based in Switzerland.

According to Proton’s breakdown of their Drive security model, Proton Drive’s implementation encrypts files and file metadata, effectively keeping the server blind to its contents (or hints of its contents.)

Proton Drive’s end-to-encryption works for sharing files and folders. For additional security features when sharing files, users can choose to password protect files (by setting their own or using a randomly generated password) or set a file sharing link to expire; Proton cannot access shared content as the URL is not revealed to the server.

Proton’s Drive service has been audited, with audit results posted publicly.

According to Proton, their Drive service is also tamper-evident, using signatures to verify authenticity of files and folders

Proton Drive supports strong multifactor authentication (MFA) methods, such as time-based codes (TOTP) and hardware keys.

The free tier of Proton Drive grants users 1GB of storage. Apps are available for mobile platforms like Android and iOS. The platform and its clients are open-source.

Creation of a Proton account also grants users access to the free tiers of Proton Calendar, Proton VPN, and Proton Mail.

Proton is also an avoidthehack recommended VPN and encrypted email provider.

Skiff is a encrypted cloud storage provider based in the United States.

Skiff Drive’s has “standard” file linking and sharing features commonly expected of cloud storage providers; security sharing features also include sharing expiration and file watermarking. Skiff’s implementation is end-to-end encrypted as documented in the Skiff Whitepaper.

According to Skiff’s whitepaper, Skiff’s link sharing model encrypts the URL from even its servers. Additionally, file metadata is encrypted and “hidden” from Skiff and others who are not the file owner or a shared party.

Skiff Drive supports strong MFA methods, such as TOTP to help secure

Skiff Drive can be configured to integrate with decentralized storage via the InterPlanetary FileSystem (IPFS).

The free tier of Skiff Drive grants users 10GB of storage, with an per-file upload limit of 50MB. Skiff Drive also offers apps for mobile platforms like Android and iOS; the platform and its clients are open-source.

Creation of a Skiff account also grants users access to the free tiers of Skiff Mail, Skiff Pages, and Skiff Calendar.

Skiff is also an avoidthehack recommended encrypted email provider.

Filen is an encrypted cloud provider based in Germany.

According to Filen’s whitepaper, folder names and file metadata(ex: size) are also encrypted client-side with the user’s encryption key. Per Filen’s main privacy policy, transactional metadata (exchange with the server) like the user’s email and IP address are recorded.

Filen supports sharing files with both other Filen users and non-Filen users via public links. Public links can be set to expire or protected with a password (that must be pre-shared to intended recipients.) In either case (sharing with Filen or non-Filen users) sharing link URLs are hidden from Filen’s servers.

Filen supports TOTP for strong MFA. Its apps are open-source and support most platforms, including iOS and Android.

Filen offers a tree trial with a storage limit of 10GB, which includes the unlimited bandwidth found in the paid plans.

Ente (photos and videos)

Ente is an encrypted photo and video cloud storage provider.

Ente’s implementation of end-to-end encryption on its platform is well documented on their architecture page. Your account has a masterkey, which doesn’t leave your device unencrypted and is required to begin the decryption (access) process to stored files.

Ente’s implementation also encrypts metadata, such as location EXIF data often attached to photos and videos taken with a GPS-enabled camera (ex: a smartphone.)

Additionally, Ente can automatically sync photos from the device to the cloud. This can be set to only complete when connected to a Wi-Fi network. The service syncs in the background, providing convenient functionality similar to iCloud Photos and Google Photos – however, large numbers of uploads might take some time.

Ente supports strong MFA methods like TOTP. Apps are available for most platforms, including mobile platforms like Android and iOS. The platform and its clients are open-source.

Ente offers a free trial of 1GB of storage for 365 days (1 year).

Cryptee (photos and videos)

Cryptee is an encrypted storage provider with a focus on photos and videos based in Estonia. Cryptee also features a web-based and encrypted document editor.

Cryptee’s implementation encrypts files as well as file metadata prior to upload to the server. With the document editor, contents inside documents are also kept “hidden” from the server.

Cryptee does not have a dedicated mobile app found in any traditional app store. Rather, it is a progressive web app, which can be independently installed on all devices – including mobile operating systems like iOS and Android. Cryptee’s web client is open-source.

Cryptee offers 100MB of storage for its free tier.

Nextcloud is open-source client-server software for creating file hosting (cloud storage) on private servers controlled by the end-user (you). Self-hosting a Nextcloud storage server enables the user to truly take control of their data, metadata, and stored files.

Nextcloud GmBH provides a list of cloud storage provider using their platform. As of writing, listed Nextcloud providers provide free accounts ranging from 2GB to 5GB storage.

In December 2022, Apple introduced an update to iDevices and iCloud enabling users to enable Advanced Data Protection – which provides end-to-end encryption for most data and files synced to iCloud.

This is a definite “win” on both the privacy and security fronts for most Apple users – however, be aware that neither iCloud Mail, Contacts, nor Calendar events are end-to-end encrypted even with Advanced Data Protection successfully enabled.

Avoid The Hack features a detailed guide on enabling Advanced Data Protection in a separate post.

At minimum, to be listed on avoidthehack, secure cloud storage providers must:

Provide end-to-end encryption

End-to-end encryption provided should make the service’s server blind to what exactly is stored in a user’s account.

This helps prevent unwarranted file “scanning” by the service provider’s servers, metadata ingestion (a consequence to user privacy), and helps prevent third-party access to a user’s files. Implementations should encrypt data on the client-side prior to upload to the server.

Encryption should include file metadata as well; this helps prevent unwarranted data collection based on metadata.

Ideally, services listed here would have a whitepaper detailing their implementation and security model(s).

Minimal PII for registration/use

Additional personal identifiable information outside of registration should not be a requirement for service use.

At most, for registration, an email address should be requested. Mobile phone numbers or required disclosure of other PII should not be mandatory for use.

Tracker-free apps

Clients provided by secure cloud providers listed here must be free of [tracking technologies](/tools/tracker-blocking), including, but not limited to:

Open-source apps

Open-source storage solutions promote transparency and leverage the global software development community for further development and feature additions; open-source also leverages the greater security and privacy communities to look for/report/test for vulnerabilities in the source code.

Offer strong MFA methods

At minimum, cloud storage providers should at least offer TOTP as a MFA method. Codes sent via SMS or Email are not considered strong forms of MFA.

Ideally, the cloud storage provider would support the use of hardware keys like Librem, NitroKey, or YubiKey.

Easy deletion of account (and data)

While near impossible to ensure all data associated with a user’s account is erased, cloud storage providers listed here should make the process easy for users who wish to delete their account and account data.

Easy to understand pricing model

There should be a clear “pricing” page; pricing should be easy to understand for most users. Features for each pricing tier should be clearly outlined.

Ideally, encrypted cloud storage providers listed here would specify what happens if a user uses above their storage allotment tier.

Traditional cloud storage providers are easy-to-use but hold the encryption keys for your files – which means they could access them or even share with a third party. Many traditional cloud storage providers also collect metadata – like EXIF data from photos and videos – for any number of purposes, ranging from tracking methods to training machine learning models.

With encrypted cloud storage providers implementing end-to-end encryption, user privacy (and security) is taken more seriously as the user no longer has to rely on a “promise.” Encrypted storage providers using end-to-end encryption ensure a more “private-by-default” approach to cloud storage solutions.

If none of these secure cloud providers live up to your expectations or your situation calls for reliance on more traditional cloud storage providers, then it’s highly suggested to look into encrypting your files prior to uploading them to the cloud. This is good advice for upload to any file service.

With that said, stay safe out there!