Best Encrypted Cloud Storage

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The big cloud providers nearly all provide some level of encryption or offer it for an additional fee. Unfortunately, some enterprises have been embarrassed to read the small print on their cloud contracts following a data breach. Their cloud data was hacked, yet the cloud provider wasn’t to blame as the hack was due to how the data was sent to or retrieved from the cloud. 

Clearly, there are blurred lines when it comes to cloud encryption and cloud data protection in general. That’s why enterprises are being advised that it is up to them to protect data that is being sent to the cloud. 

A number of services and tools have sprung up to serve this market. Some cloud providers, too, offer such services. The best defense is end-to-end encryption whether data is at rest, in transit, or in the cloud. 

Key Cloud Encryption Features 

Here are some of the key features to review when choosing a cloud encryption vendor:  

  • Encryption: check out the type of encryption to determine if it’s the best possible kind. Hackers are using tools that can rapidly crack some kinds of encryption. Stay one step ahead by using good encryption. That should at least be AES 256-bit encryption for data at rest and AES 128-bit encryption for data in transit. 
  • Breadth of protection: Some cloud providers say they use encryption, but it is only for data that arrives in their cloud. That rarely is enough. Hackers can intercept data on route or awaiting transfer to the cloud. Opt for end-to-end encryption. 
  • It may be wise to broaden encryption usage throughout the enterprise. If you are paying to protect data going to the cloud, check what would be involved in extending those encryption capabilities to anywhere else you may need them. 

Also read: Developments in Cloud Storage for IoT Data

Encrypted Cloud Vendor Selection Tips 

Here are a few tips in choosing a cloud encryption vendor: 

  • Check the small print. You may think you are fully protected, yet may not be. Check with your cloud provider to confirm what coverage you actually have, what holes there might be, and what that provider proposes to do about it. 
  • Evaluate providers that offer end-to-end encryption to see what they can do to fully protect your cloud resources. 
  • Compare the costs between an external vendor and your regular cloud vendor as well as the thoroughness of protection. 
  • Some services are via subscription, others are via purchase of software. Due diligence on annual costs is recommended. 
  • Remember that the financial repercussions of one breach will dwarf what you are likely to spend on encryption. 
  • Watch out for privacy small print. Some of the big providers have become embroiled in privacy flaps. The employees of some cloud providers are said to be able to access files stored on its servers. You want to retain total control of your data and its metadata. 

Also read: Cloud Storage SLAs are More Important Than Ever

Top Cloud Encryption Vendors 

Enterprise Storage Forum reviewed the various vendors in this field. Here are our top picks in no particular order: 


Boxcryptor is easy-to-use encryption software optimized for the cloud. It allows the secure use of cloud storage services without interrupting the user’s usual workflow. Boxcryptor encrypts files client-side on a zero-knowledge basis before they are synchronized to the cloud. Therefore, users can be sure that no one but authorized persons can access their data.

Key Differentiators 

  • Boxcryptor creates a virtual drive on the user’s computer that allows them to encrypt their files locally before uploading them to their clouds of choice. Users can encrypt individual files or folders. Any file dropped into an encrypted folder within the Boxcryptor drive will be encrypted automatically before it is synced to the cloud.
  • Boxcryptor supports more than 30 cloud providers as well as Microsoft Teams, NAS, Fileserver, external storage devices, and local data.
  • Companies can protect their sensitive data with the highest end-to-end encryption standards AES-256 and RSA-4096.
  • The Boxcryptor App can be used on desktop (Windows and macOS) as well as on smartphones (Android and iOS).
  • Zero knowledge end-to-end encryption so no unauthorized third parties, or the cloud provider can access data.
  • Single sign-on and user provisioning included.  
  • Reliable encryption for multiple cloud providers/storages: Companies can separate the encryption of their data from the actual storage location and can use one encryption solution to protect files on all storage. 

Over 1.7 million individuals and businesses worldwide use Sync. It provides tools to store information securely in the cloud and access it from the office, from home, or anywhere else. It includes encryption and privacy-protection features and encryption technology to protect sensitive information from unauthorized access.  

Key Differentiators

  • Protects privacy (only you have access to your data).
  • Allows sharing folders of any size.  
  • Includes file sync and sharing features. 
  • Sync positions itself as a secure Dropbox alternative with encryption built in. 
  • 100% private cloud with end-to-end encryption. 
  • No tracking of personal data.
  • Global data privacy compliance (USA-HIPAA, EU, UK, CAN-PIPEDA).


Baffle’s Data Protection Services (DPS) protects data from any source to any destination as it moves from on-premise to cloud or between cloud-native services. It functions as an invisible data security mesh that safeguards data values and only reveals them to authorized data accesses. Data staged in cloud data lakes lives in a de-identified state to ensure data privacy. 

Key Differentiators 

  • As data gets consumed into data warehouses and analytics environments, Baffle selectively enables access to data and allows the re-identification of data per role and per policy.  
  • Protects information as it is ingested into the cloud and then shared and consumed securely by applications.  
  • With a no-code, simple-to-deploy security mesh, Baffle protects sensitive data at cloud scale with no performance impact on the customer experience.
  • Cloud-native for Snowflake, Amazon AWS, Microsoft Azure, Google Compute Platform, and IBM Cloud.
  • Proven in large scale environments (15B+ records).  
  • Policy-driven de-identification supporting masking, tokenization, field- or record-level encryption, and on-demand data shredding.
  • Supports AWS RDS and Aurora MySQL, PostgreSQL, MariaDB, Azure SQL, AWS Redshift, and Snowflake data stores.
  • Supports bring-your-own key (BYOK) and hold-your-own-key (HYOK) requirements.
  • Integrates with AWS KMS, Azure Key Vault, IBM Key Protect, Hashicorp Vault and Thales Enterprise Key Management.
  • One-click, continuous secure cloud data migration with interoperability with AWS DMS, HVR, and Qlik Data Integration Platform (Attunity) migration solutions.
  • Safeguards against intentional or inadvertent misconfigurations and unauthorized access.


Egnyte goes beyond cloud data encryption to offer external and internal threat protection, compliance proof and audit, remote work protection, controlled sharing and workflows, cloud migration, user access, and data security. 

Key Differentiators 

  • Identity-aware, controlled access and sharing.
  • Access company files via secure web, desktop, tablet, and mobile apps, as well as when working within third-party cloud services like Slack, Salesforce, Gmail, and Teams. 
  • Co-edit Microsoft Word, PowerPoint, and Excel files using the respective desktop apps and store them alongside other files. 
  • Share files easily and securely while monitoring and controlling future downstream data use or resharing. 
  • Manage appropriate access to unstructured data based on role, location, and security tags. 
  • Granular, person-level folder and file permissions. 
  • Automatically move large files in active usage to the edge for better performance.
  • Retain and delete files according to global policies, including company-, vertical-, and content-type specific settings.
  • Identify and permanently purge redundant, obsolete, and trivial data with minimal admin intervention. 
  • Restore files and versions that have been mistakenly deleted by end users.
  • Sensitive content discovery provides visibility across cloud repositories and apps, device storage, and on-prem file shares.
  • Behavioral analytics monitors viewing, uploading, editing, sharing, and deletion.
  • Anomaly detection and alerting to reduce insider threat risk. 
  • Automated ransomware detection and workflows. 


Tresorit is a Swiss, end-to-end encrypted, zero-knowledge content collaboration platform designed to safeguard data. It offers a secure place in the cloud to store, sync, and share files within an organization and with external partners.

Key Differentiators

  • Encrypts every file on devices with randomly generated encryption keys. Accessing files is only possible with a user’s decryption key.
  • Encrypts relevant file metadata. 
  • Keys are never sent to Tresorit servers in an unencrypted format. 
  • Uses an authentication scheme in which a password never leaves its device, keeping the user in control.
  • Uses public key cryptography based on RSA-4096 with OAEP padding scheme and PKI certificates, combining it with a tree of symmetric keys.
  • A file’s content cannot be modified without user knowledge, even if somebody hacks the system. 


SpiderOak CrossClave is designed for organizations with exacting security needs and collaborative teams, providing security and trust for valuable information. It enables users to share any file type, chat with any team member, or call each other securely.

Key Differentiators 

  • SpiderOak’s blockchain-secured products replace many of the insecure apps already in use.
  • Combines security, speed, and ease of access.
  • CrossClave’s design removes the network and the server as vulnerabilities. 
  • Plain text is only ever available to the endpoints of the system. 
  • Protect Intellectual Property by leveraging secure distributed data enclaves for the safe exchange and use of digital intellectual property where and when it is needed.
  • Roles and access controls can be determined by policy or adjusted manually on an as needed basis.
  • CrossClave leverages zero-knowledge encryption and distributed-ledger capabilities to extend protection to remote work.
  • Encrypts everything using NSA CNSAS cryptography. Keys to ciphers are held only by endpoints with a need to know
  • Create compartments that are cryptographically kept separate. 
  • Policy engine closes loopholes in authority and permission schemes. 


pCloud Drive makes it possible to save files and access them anywhere, as well as send, receive, and collaborate securely with the highest level of encryption with pCloud Crypto. Its client-side encryption safely hides data from unauthorized access. 

Key Differentiators

  • Encrypts data on user’s computer and uploads only the encrypted version to the servers. 
  • Files never leave user’s device. 
  • Zero-knowledge privacy means that encryption keys are not uploaded or stored on pCloud servers.
  • Offers both encrypted and non-encrypted folders in the same account. 
  • Uses 4096-bit RSA for users’ private keys and 256-bit AES for per-file and per-folder keys. 
  • Authentication is done by calculating cryptographic hash of the data during encryption and decryption and comparing the results. 


Icedrive software allows users to access and manage cloud storage space as if it were a physical hard disk or USB stick directly in the operating system. Its intelligent cache control operations eliminate the need to wait for a cloud to sync. It uses the twofish algorithm which is widely accepted by cryptographers as a more secure solution than AES.

Key Differentiators 

  • Icedrive is the only encrypted cloud storage solution to use the twofish algorithm. 
  • Everything, including file and folder names. gets encrypted on the device before it hits the Icedrive secure cloud. 
  • No sensitive data can be intercepted, leaked, or deciphered.
  • Uses the AES algorithm and 256-bit keys using an encryption passphrase. 
  • Each encrypted chunk of a file gets individually uploaded to secure servers and double-encrypted in transit over HTTPS.

Read next: Top Cloud Data Security Software

Drew Robb
Drew Robb
Drew Robb is a contributing writer for Datamation, Enterprise Storage Forum, eSecurity Planet, Channel Insider, and eWeek. He has been reporting on all areas of IT for more than 25 years. He has a degree from the University of Strathclyde UK (USUK), and lives in the Tampa Bay area of Florida.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.