Once you’ve got one of them set up, you can access your files from anywhere, and know that if something happens to your computer, you will quickly be able to recover all your important files. Editor’s Note: Guest author Heinrich Long is the editor behind Restore Privacy, a blog dedicated to inform about best online privacy practices, secure your electronic devices, unblock restricted content and defeat censorship. This is all great, but when you use these services, you are trusting them to keep your data secure and private. They encrypt your data, so it is secure while traveling across the internet and also secure while it is sitting on their servers. But because they encrypt your data for you, they can decrypt it if they so wish. Or if they are ordered to by the local government. Or if some powerful intelligence agency “convinces” them that it is in their best interest to do so. …What the world needs now is a cloud storage service that is not subject to uncontrolled access by intelligence agencies. —Mikko Hypponen Even if your government isn’t trying to get access to data stored in the cloud, hackers are. Hackers are constantly assaulting cloud storage systems of all types, looking to steal, well, whatever they can get their hands on. At Restore Privacy, our goal is to help you keep your private data secure. Everything else, such as how much free storage space a service offers, or how well it works with other software and services, is secondary. That’s why this guide focuses on what we call secure, privacy-first cloud storage.
What is secure cloud storage and why do you need it?
We consider secure cloud storage to be a cloud storage system where you, not anyone else, controls the keys used to encrypt and decrypt your data. If you control the encryption keys, the cloud storage service can’t decrypt your data, period. The government can demand it, some intelligence agency can insist on it, but it won’t matter. Only you can decrypt your data. Secure cloud storage services use a variety of techniques to protect your data. From storing your data in secure facilities with armed guards and biometric locks like something out of a spy movie, to using the latest and greatest encryption algorithms, they offer enhanced security over the big names in the cloud storage space. We’ve been busy reviewing secure cloud storage services to see which ones do the best job or protecting your precious data. This is what we’ve found…
The best cloud storage services
While we haven’t reviewed every cloud storage service that claims to be secure (there are dozens), we have done deep dives into the leading services. All technical considerations aside, you want a secure service that has the corporate backing and resources to be around for a while. So we ruled out most of the more obscure services for now. For 2022, here are our recommended secure cloud storage services that can protect your privacy in the current privacy-hostile environment. You’ll find a short summary of each service below, along with links to more in-depth reviews for all of them.
NordLocker
A versatile encryption and cloud storage system
NordLocker is an encryption service with cloud storage capabilities. If you want the maximum possible security for your data, this is an important distinction. Secure cloud storage services will encrypt your data whenever it is not at rest on your computer. They use zero knowledge encryption so that no one, not even them, can decrypt your data. But what about when the data is on your computer? What if someone gains physical access to your computer? The files on your computer are not encrypted. Someone with access to your device will have full access to your files as well. But NordLocker does things differently (see full review). You move the files and folders you want to protect into a special folder called a locker. Anything you put in the locker is encrypted automatically, and only accessible when NordLocker is unlocked. This means that your files can remain safely encrypted even when they are on your computer. NordLocker offers their own secure cloud storage for lockers. Their lockers are also compatible with any other cloud storage services. That’s big because it means you can store lockers in other cloud storage services, knowing that your data is safe regardless of which service you use. NordLocker is from the makers of NordVPN, a popular VPN service. They also offer NordPass, a secure password manager.
Tresorit
Best secure cloud storage solution
Tresorit was our pick for the best secure cloud storage service in 2021. It utilizes end-to-end (zero knowledge) encryption and offers a full set of features for businesses, teams, and individuals. The company stores your data in Ireland by default, but business accounts can select from several jurisdictions. A 2019 audit by Ernst & Young indicated that Tresorit is a trustworthy service. Tresorit offers business-oriented plans with tools for managing users and their data across the organization. The service is compliant with HIPAA, GDPR, FedRAMP, and numerous other data protection regulations, making it suitable for a wide range of corporate applications. Tresorit is a great choice for business users. Its value for individuals isn’t so clear. The free plan offered by the company is very limited, and the paid plans will probably be overkill, leaving you paying a high price for features you don’t need.
Sync.com
Zero-knowledge cloud storage based in Canada
Sync.com offers plans for individuals and enterprise users, but we think it is probably best for individual users. Their zero-knowledge infrastructure looks to be as secure as you can get, although they still haven’t published any third-party test results. If you only need a small amount of storage (5 GB), and don’t need a Linux sync client, their free plan could be ideal for you (see full review). Sync.com has both pros and cons when it comes to business use. It offers plans with unlimited storage and bandwidth, as well as several team-oriented features and compliance with industry standards such as HIPAA, GDPR, and PIPEDA. The biggest business drawback is the requirement to store all your data in Sync.com’s dedicated folder. This could result in incompatibilities with other crucial business apps and services.
Nextcloud
The best cloud storage for self-hosting
Nextcloud is different than the other services we’re recommending. First, it is a FOSS (Free and Open Source Software) system. As the name implies, it is free to use. And the fact that it is completely open source means that you can be reasonably confident that no one has done anything nasty in the code that would jeopardize the security and privacy of this service. Nextcloud is designed to allow you to store your data on your own secure servers, or on third-party servers. By hosting on your own servers, you can keep all your data safe inside the corporate firewall. By syncing to third-party servers, you can get up and running quickly while letting someone else handle the maintenance of your data servers. Nextcloud is also very versatile and expandable. One example of this is Nextcloud Hub which allows you and your team to share and collaborate on documents, send and receive email, manage your calendar, etc. on a fully on-premises solution. The ability to host Nextcloud on your own hardware is important, since Nextcloud’s end-to-end (E2E) encryption is not fully functional (as of writing). Even so, we see Nextcloud as a powerful, flexible, and free cloud storage solution with huge potential. Between the core product and the 100+ apps you can add to it, you can create anything from basic cloud storage to a complete environment for home or business use.
Mega
Consumer-oriented, zero-knowledge cloud storage
Mega is a popular secure cloud storage service that was on the news a lot a few years ago. Unlike some of its competitors, it provides desktop and mobile clients for every major OS. Mega features zero-knowledge, end-to-end encryption and a free plan that includes 15 GB of storage (boostable up to 50 GB) if you complete certain tasks. One potential drawback to this service is that it limits daily data transfer that can leave you waiting until the next day if you try to move too much data at once. Still, it is a strong choice for individual users. If you are looking for secure business storage, Mega looks less appealing. They do offer business plans with unlimited storage and transfer capacity, plus built-in chat, contacts, and file preview capabilities. But other services, including Tresorit and pCloud have stronger corporate offerings. In addition, New Zealand laws result in Mega’s ToS containing some troubling clauses you’ll want to study before naming this your secure corporate cloud storage service. When looking for the best cloud storage that is private and secure, you may have some questions. So let’s cover the basics.
Does the country where the company is located matter?
Yes, it does matter. National laws governing the storage and transmission of online data vary greatly. Some countries respect your online privacy more than others. Countries like Switzerland have strong data protection laws in place. Others, like the United States and the UK, have a bad record for protecting your privacy. Countries that don’t respect your privacy could well lean on your cloud storage provider to give them access to the data you have stored on the service. That said, the country a secure cloud storage service is located in matters less than it does for a regular cloud storage service. As discussed previously, a secure cloud storage service can’t decrypt your data. You control the encryption keys. Even if they are ordered to hand over your data to the authorities, or are hacked by a third party, they won’t be able to read your data. This doesn’t necessarily mean that the service knows nothing about your data. Depending on how any particular service works, they may still have access to:
Billing information (name and anything else you provide when registering) Metadata like when you log on or off the system, your IP address, and other personally identifiable information Who you share encrypted files with The names of files or folders containing your encrypted data
This means you need to think carefully about the threats you want to protect your data against and how the country it is located in affects those threats (your threat model) before choosing a service.
Does the country where my data is stored matter?
You need to be aware that the country your data is stored in is not always the same as the country your cloud storage service is located in. For example, Sync.com is based in Canada. It also stores your data there. Mega may store your data in their home country, New Zealand, or in unspecified European countries that “have an adequate level of protection under Article 45 of the GDPR,” with their decision on which location to use being based on your physical location. As with the country the service is based in, the country where your data is stored matters. Local laws govern the servers your data is stored on. Imagine that some hypothetical secure cloud service was headquartered in Switzerland, but they stored your data in China (perhaps the least privacy-friendly country in the world). China’s horrible privacy laws would apply to the servers containing your data, despite the company itself being under the privacy-friendly laws of Switzerland. Even though your data is protected by the encryption you control, all other things being equal, it makes sense to look for a service that is both based in, and stores your data in, a privacy friendly jurisdiction.
What is the best approach to data security for cloud storage?
There are three states we need to look at: your data in transit, your data at rest in the cloud, and your data at rest on your device. Data in transit is data that is moving between you (your computer, smartphone, or web browser) and the servers where it is stored. Data at rest is data physically stored somewhere.
Data in transit
Data in transit needs to be protected against anyone who manages to intercept it while it it traveling between you and the cloud servers. Most services use TLS/SSL encryption to secure data transmitted over the Internet. This encryption gets applied before your data begins to transit the Internet and is removed when your data arrives at its destination. Note that TLS/SSL only protects your data while it is in transit. Once your data arrives at its destination, the TLS/SSL encryption is removed. Unless the data is encrypted before the TLS/SSL is applied, the recipient will be able to read the data as soon as TLS/SSL is removed. This kind of encryption is strictly for protecting data in transit. We need some other encryption solution for data at rest.
Data at rest
Data that is at rest is data that is being stored somewhere. When you store your data with a cloud storage service, your data will be at rest in the service’s servers. For that data to be secure, it must be protected from unauthorized access. This protection can be physical and procedural: the servers are in a secure location, with no unauthorized persons allowed access to it. Many cloud storage services offer this type of security. The problem with this type of security is that you need to trust the cloud service to keep your data secure. If their security procedures fail, or if someone breaks into their secure location, your data could be exposed. Even if the service does everything perfectly, local authorities can force them to provide access to your data in defiance of company policy. A more secure solution to the data at rest situation is to encrypt the data before storing it on the cloud. That way, the only people who can read the data are the ones that know how to decrypt the data sitting on the server. This is typically done using AES-256 or some similarly powerful encryption algorithm. Combining TLS/SSL encryption for data in transit, with AES-256 or similar encryption of the data at rest, and that sounds like a complete encryption solution. But is it really?
Who holds the keys to your data?
The most convenient way to do things is to have the cloud storage service handle the encryption / decryption of your data. The TLS/SSL provides security for your data while in transit, and the encryption they apply once the data arrives protects it while on their servers. But you still have to count on the service to protect the security of your data. The most secure approach is for you to control the encryption keys for your data. You encrypt the data before it leaves your device using encryption keys that never leave your device. Then your device encrypts it again with TLS/SSL before sending it to the server. At the server end, they strip off the TLS/SSL encryption, and store your data, which is still protected with the encryption you control. We also need to talk about the security of data stored on your device. Many cloud storage services store you data in unencrypted form on your device. If someone gets access to your device, they get access to your data, too. One service that specifically addresses that problem is NordLocker. With NordLocker, your data is stored encrypted even on your own device. The only way to decrypt the data is to log into NordLocker. Storing the data encrypted at rest on your device provides an extra layer of security.
Why should I pay when I can get a free account?
There are several good reasons to pay for your secure cloud storage. They include:
Functional limitations – Free accounts never have all the capabilities of paid accounts. Usually you are limited in the amount of data you can store with a free account, the amount of data you can upload and download in a month, or you are limited in the amount of time you can use the free account. Support limitations – Most free accounts provide limited customer support. They often force you to ask questions or look for help in discussion forums where free users try to help each other. Limited features – Paid accounts frequently offer additional features that free users don’t have access to. File version tracking (or tracking for longer periods of time), enhanced security features like 2FA, and business-oriented features like onboarding and collaboration tools, are just a few of the features that you’ll only get with a paid account..
Whenever possible you should test a service using a free account. No point in spending money to then find out the service doesn’t meet your needs. But once you are sure it does meet your needs and if your data is important enough to need secure cloud storage, it is worth investing in a paid plan.
Should I use a VPN with my secure cloud storage service?
Short answer is yes. Secure cloud storage services protect your data from outsiders. But that doesn’t mean they won’t collect some personal data on you anyway. Many cloud storage services log information about your activities on their system. Things like when you log on, how long you stay logged on, along with your IP address. Gathering your personal data and tying it to your IP address can be useful for the service. But it offers no benefits for you and even some potential risks. If you use a VPN to connect to a secure cloud storage service, the service will record the IP address of a VPN server instead of your IP address. Since each VPN IP address is typically shared by tens or hundreds of users, it will go a long way toward protecting your privacy as you use the storage service.
This concludes our roundup of the best cloud storage services that do well with both privacy and security. They may not be as well-known or easy to use as Google Drive, or sync with third-party services the way OneDrive does. Those services are plenty useful and serve its purpose well, but the secure cloud storage providers we recommend in this guide offer enhanced security where your data may be the most valuable commodity you own.