Cloud services like Dropbox, Google Drive, OneDrive, and iCloud store your data on servers that the provider has access to. Without additional encryption, this data can theoretically be viewed by employees, authorities, or in the event of a data breach.
The solution: encrypt files before uploading — then the provider is just an oblivious storage container.
Server-Side vs. Client-Side Encryption
| Encryption | By whom | Who can decrypt |
|---|---|---|
| Server-side (Standard) | Cloud provider | Provider + You |
| End-to-End | Partially by provider | Only you (sometimes) |
| Client-side (Cryptomator) | By you, locally | Only you |
Client-side encryption is the most secure option: only you hold the key.
Cryptomator – The Easiest Solution for All Cloud Services
Cryptomator is a free, open-source tool that creates an encrypted vault inside your cloud folder. Files are automatically encrypted when saved and decrypted when opened.
How it works:
- Cryptomator creates a vault folder (e.g., inside Dropbox)
- This folder contains only encrypted data (unreadable to Dropbox)
- Cryptomator opens the vault as a virtual drive
- You work with your files normally — encryption happens in the background
Setup:
- cryptomator.org → download for free on Windows/Mac/Linux
- "Create New Vault" → save inside your cloud folder
- Set a vault password → use the Password Generator: at least 20 characters
- Open the vault → mounted as a drive → store files normally
Compatible with: Dropbox, Google Drive, OneDrive, iCloud, Nextcloud, any cloud-synced folder
Boxcryptor – Alternative for Teams
Boxcryptor (now integrated into Dropbox) was a commercial alternative to Cryptomator, especially for teams and enterprise environments. For private users: Cryptomator is the better (and free) choice.
Which Cloud Services Offer Built-in Encryption?
| Service | Built-in E2E Encryption |
|---|---|
| Dropbox | No (server-side encrypted) |
| Google Drive | No (server-side encrypted) |
| OneDrive | No (except Personal Vault) |
| iCloud | Partially (opt-in Advanced Data Protection) |
| Proton Drive | Yes (end-to-end) |
| Tresorit | Yes (end-to-end, paid) |
Recommendation: Proton Drive for privacy-conscious users with a free E2E option.
Password for Your Encrypted Vault
The password for your Cryptomator vault is the only protection for your encrypted data. Choose a very strong password:
- At least 20 characters
- Generated with the Password Generator
- Stored securely in a password manager
Warning: If the vault password is forgotten, the data is permanently lost. Cryptomator has no master access.