Tools

Storing files in the cloud is convenient, but the word 'encrypted' on a provider's marketing page can mean very different things. Understanding which kind of encryption a service offers is the difference between files only you can read and files the provider — or anyone who compels it — can read too. It is worth getting that distinction right before you trust a service with anything sensitive.

Two kinds of cloud encryption

The most common form is encryption at rest, where the provider encrypts your files on its servers but also holds the keys. This protects your data if someone steals a hard drive from the data centre, but it does not protect it from the provider itself, from a rogue employee, or from a legal order compelling the provider to hand over readable copies. It is real protection against some threats and no protection against others.

End-to-end encryption, sometimes called zero-knowledge or client-side encryption, is the stronger model. Here your files are encrypted on your own device before they are uploaded, using a key the provider never sees. The provider stores only ciphertext it cannot read, so even it cannot access your files. The trade-off is that if you lose your password or recovery key, there is usually no way for the provider to recover your data — the property that protects you also means no one can rescue you.

Services that encrypt end-to-end

Several services offer genuine end-to-end encryption. Proton Drive, part of the Swiss-based Proton suite, encrypts files end-to-end by design. pCloud offers an optional client-side encryption feature, marketed as pCloud Crypto, for files placed in its encrypted folder. Tresorit and others target the same zero-knowledge model. The common thread is that the encryption happens on your device, not just on the provider's servers.

• Encryption at rest: the provider holds the keys and can read your files
• End-to-end / zero-knowledge: encrypted on your device, unreadable to the provider
• Proton Drive (end-to-end by design) and pCloud Crypto (optional) are examples
• Zero-knowledge means no password recovery — keep your key safe
• Layer it: mainstream storage for ordinary files, encrypted for sensitive ones

Mainstream consumer services sit at a different point on the spectrum, and it is worth being honest about it. The big-name drives generally encrypt data in transit and at rest with keys they control, which is fine for convenience and for protecting against outside theft, but it is not end-to-end encryption. If your goal is that the provider cannot read your files, those services do not meet it by default, whatever the reassuring language suggests.

Choosing by what you're protecting

Choosing between models comes down to what you are protecting and how much recovery safety you want. For ordinary, non-sensitive files, convenient encryption-at-rest from a reliable provider is perfectly reasonable. For documents you genuinely need to keep private — financial records, identity documents, private writing — end-to-end encryption is the model that actually delivers the promise, provided you accept responsibility for your keys.

Whatever you choose, a few practical points apply. Keep a backup of your encryption password or recovery key somewhere safe, because with zero-knowledge services there is no reset. Remember that filenames and folder structure are sometimes less protected than file contents, depending on the service. And recognise that strong storage encryption stops protecting a file the moment you share a readable copy with someone else.

A layered, practical approach

It also helps to think about where your trust ultimately sits. With encryption at rest you are trusting the provider's honesty and its resistance to legal pressure; with end-to-end encryption you are trusting the math and your own key management instead. Neither removes trust entirely, but they place it in very different hands, and knowing which hands you prefer makes the choice between services much clearer.

A reasonable approach for most people is a layered one. Use convenient mainstream storage for the bulk of ordinary files where access and sharing matter most, and reserve an end-to-end encrypted service, or an encrypted folder, for the smaller set of documents that genuinely need to stay private. That way you get convenience where it helps and real confidentiality where it counts, without pretending one tool does everything.

If you want a single recommendation to start from, an end-to-end encrypted option like Proton Drive or an encrypted pCloud folder is the safer default for sensitive material, because the provider cannot read what you store. Build your habit around that for the files that matter, keep your recovery key safe, and you will have cloud storage whose privacy rests on cryptography rather than on a promise.