Best Free Encryption Utility for Cloud Storage


In a Hurry?
Go to details...  Go straight to the Quick Selection Guide

Most cloud storage services claim they "take every precaution" to keep your data secure. For example, most use encryption to make sure your files are secure in transit. They "have internal policies and controls" to ensure that employees don't access your files. But things do go horribly wrong.

For many cloud-storage users, privacy and robust encryption are top priorities. It is essential for data and documents to be encrypted before leaving their device, and it is essential that no other entities have their encryption key or any other way to gain clear-text access to their files.

On-the-fly encryption is the the most convenient way to protect your files in transit and in the cloud. That's where client-side products like SpiderOak, Tresorit, Sync and Cryptomator come in. Client-side on-the-fly encryption assures that your files never leave your computer in an unencrypted state. And your encryption key should never leave your computer.

Once it is properly set up, good client-side, on-the-fly encryption applications require no direct action by users. They and their client-side processes have fast, direct access to unencrypted files. But encryption adds complexity (things do go horribly wrong), and local backups are still important.

Common ways to implement on-the-fly, sometimes called transparent encryption

There are pitfalls and limitations in most systems for cloud-storage encryption. Perhaps you can spot them below, but this list might be best used as a reminder. Go learn more about these encryption methods in the Selecting an Encryption Method for Cloud Storage article and then come back here.

Type 1 = [Unencrypted folder] << >> [Integrated encryption & cloud sync] << >> [Cloud storage]

Examples: Tresorit | SpiderOak

Type 2 = [Virtual Drive - virtual clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

Examples: BoxCryptor | Cryptomator | Cloudifile | Viivo |

Type 3 = [User Folder - clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

Example: Cloudfogger

Type 4 = [Virtual drive - clear-text files are virtual only] << >> [Encryption] << >> [Encrypted volume - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

Examples: VeraCrypt | TrueCrypt (not recommended, see in Related Products and Information below)


Tresorit is a significant entry in the client-plus-cloud encryption arena. It includes integral free cloud storage (3 GB plan, expandable by completing a few "tutorial tasks", etc.). Tresorit provides seamless sync via the cloud, encrypted links for sharing, and secure collaboration. Tresorit operates under Swiss laws, and uses Irish and Dutch servers (no Patriot Act).

Tresorit uses Type 1 encryption (defined above in the Introduction), including its pros and cons. Files are unencrypted on all your synced devices, but are always encrypted for transmission and storage in the cloud. They describe the features of their system quite well. The Tresorit interface is well organized. They have an impressive analysis of why they doubt that Tresorit has been hacked. Being based in Switzerland doesn't hurt either. Tresorit may be the most secure way to encrypt files/folders for the cloud. ;)

Tresorit support is comprehensive and well written, and they have added tutorials for all platforms (look at the bottom of the left column of the interface). You should be able to easily figure out how to get Tresorit going.

I've been using Tresorit for my most sensitive data since September, 2013, and it has performed flawlessly. There is a sizable development team at Tresorit, and they are actively introducing new apps and features. For example, they have recently implemented file versioning, and a clever secure URL method for sharing individual files securely.

SpiderOak is not just an encryption program. It combines client-side encryption with 2 GB of free cloud storage (more storage is availale for a fee). In other words, you don't need a separate cloud-storage service. SpiderOak also provides sync between PCs and portable devices in addition to backup. In sum, SpiderOak provides encryption (Type 1 as defined above in the Introduction), backup, sync and storage space. Backup and sync can be automatic.

SpiderOak uses Type 1 encryption (defined above in the Introduction), including its pros and cons. Files are unencrypted on all your synced devices, but are always encrypted for transmission and storage in the cloud. You can use SpiderOak for as many folders as you like. Of course you can use up the free 2 GB pretty quickly, but it is inexpensive to get more. It is challenging to discover all the functions of SpiderOak intuitively, but they have excellent "getting started" guides and a users manual.

The SpiderOak statement on privacy and passwords is a good example of what you should look for to evaluate the security of any encryption service for cloud storage. In particular, be very leary of any service that offers password recovery. If there is a mechanism for password recovery, it is likely your data on the server is also accessible to a determined hacker or agency.

I used SpiderOak for some time, and I liked the way it worked. One thing to understand is that SpiderOak breaks files into blocks so that only the changed or added sections of files need to be stored. That way many versions of the file by just storing the incremental blocks. It offers fine-grain control of the backup/sync process, which helps you stay within the 2 GB of free storage. It's a bit tricky to use SpiderOak until you get used to how it processes backups and syncing.

Sync, a fairly new encrypted cloud service located in Canada (no Patriot act). It is similar to Tresorit and SpiderOak, providing sync, sharing and storage. You get 5 GB of free storage, along with software to sync files with the encrypted cloud storage (or, you can use the cloud interface associated with your account without installing anything). You might use up the free 5 GB pretty quickly, but 500 GB is surprisingly affordable.

Sync employs Type 1 encryption for the cloud (defined above in the Introduction), including its pros and cons. Files are not encrypted on your synced devices, but are always encrypted (2048 bit RSA, 256 bit AES, SSL and TLS) for transmission and storage in the cloud.

Sync has the most straightforward installation & cloud setup I've experienced. Every step of the process, including installing the software was perfectly clear and presented in a smooth flow. You can easily have Sync up and running in under three minutes. The process creates a special "Sync" folder on your device and your "web-panel" in the cloud. You can upload/download files directly from the cloud or work with them in the installed Sync folder.

Sync allows "selective sync" so that you can choose which folders are stored on each device. This lets you keep just the files you need on devices with limited storage. Sync also has a unique cloud management feature that sets it apart. They provide a "Vault" section in the cloud where you can copy or move any of your files or folders. These files are available from the cloud (only), which means none of them take up space on your devide(s). You can temporarily access just the ones you need at the time you need them.

Cryptomator is a new entry in this category of encryption for cloud storage. It is well matched to the needs of many of the readers of this article and most home users. One key design objective is security through simplicity. Cryptomator provides transparent (on-the-fly), client-side encryption for cloud storage. Cryptomator is free and open-source software, which assures that backdoors are unlikely.

Cryptomator is platform independent, and especially suitable for less technically experienced users. The user interface is very simple, and it is fairly easy to intuitively discover all the functions and options of Cryptomator. A FAQ and a rough version of a user manual already exist. They provide good help in getting started. The architecture is "Type 3" as discussed above in the Introduction.

Cryptomator is based on simple, clean, and straightforward architecture, which uses time-proven, standard encryption functions. It is open-source, which makes independent cryptographic review possible. Those factors, and the evident attention to detail and documentation by the developers lend a great deal to my confidence in the security of Cryptomator.

The developers consulted with university mathematicians and other encryption experts, and received extensive feedback from the encryption community in their quest to avoid and eliminate vulnerabilities. They recently received a CeBIT Innovation Award (from the German Federal Ministry of Education and Research and a sponsoring Partner) for their design.

Cloudfogger has a simple, clean user interface and is easy to work with. Cloudfogger is integrated with the file system so that many operations can be performed via context menus  in the file manager. For example, their "auto-fogg" feature allows you to encrypt/decrypt any file or folder (cloud connected or not) with a simple right-click.

Cloudfogger is a seasoned product. It can be used with a wide range of cloud storage services, e.g., Dropbox, OneDrive (you must disable Office collaboration though), and Google Drive. Optional password recovery and "emergency decryption app" options are available. There is a helpful manual and an informative FAQs for Cloudfogger.

They describe their encryption system at a high level: "Cloudfogger encrypts files with AES 256 Bit (Advanced Encryption Standard), an industry-grade encryption standard. Each file is encrypted with its own, unique AES Key that will be saved RSA encrypted within the file's header. ... User passwords are never transmitted to the Cloudfogger servers..."  Cloudfogger is a proprietary product so I have found little in way of authoritative independent vetting. One question for example, is not answered: Do the optional recovery features introduce accessible backdoors?

Cloudfogger uses a unique file-handling scheme. In effect they integrate the encryption process directly in the folders to be protected. Users work in what I'll call "encrypting folders". Those dual-function folders store and present unencrypted files to users but upload encrypted versions of the files to the cloud. This is similar to the way Tresorit works, but Tresorit integrates their encryption process with their own cloud storage servers. That's a critical difference. Read on.

In one way, the Cloudfogger scheme is great. It preserves the appearance of native file management for users. No confusing virtual drives or linked folders are required for file access by users. It's simplicity itself. But there's a dark side. If users add files to protected folders when Cloudfogger is not running the files will be uploaded in unencrypted form by the cloud service. That's right, they will not be encrypted in the cloud. Their approach is not as foolproof as Tresorit's method.

Cloudifile is a cloud encryption entry from an established organization. I applied my criteria for encryption software, and while it is relatively new I am comfortable including Cloudifile in this encryption category. Cloudifile is offered by Cloud Labs, which is a product spin-off of Apriorit. Apriorit has extensive experience in security projects that relate to a product like Cloudifile.

Here's how it works: Cloudifile creates a new folder in Dropbox, and encrypts and moves the files you want to store in the cloud to that Dropbox folder. It also creates a virtual drive where you can access the files (when you are logged in). Your local files are always encrypted at rest on your computer as well as in the cloud, but available in cleartext when you are logged in to Cloudifile. There is also a right-click context menu item for Windows Explorer that allows you to "Cloudify" any other files you want to encrypt and add to Dropbox.

BoxCryptor and Viivo both use a virtual-drive interface  that is linked to an ordinary folder. They encrypt a single folder, and augment it with the virtual-folder overlay to give cleartext access. With this approach, you work directly with an unencrypted local files, which is faster, but not as secure against local attack. Viivo is not open source, but it is a seasoned product offered by an encryption-centered enterprise.

Their two folder approach leaves users open to fatal mistakes. All files to be encrypted must be placed in the unencrypted local folder. or they will not be encrypted in the cloud-facing folder. Any files placed directly in the encrypted folder will not be encrypted. That could be hard to remember, and there is no warning or other indication of mistakes.

Related Products and Information

Cautionary Notes on Encryption

  1. Recent revelations about NSA crippling, or hacking encryption software are sobering if you store or transfer sensitive data via the internet. I would not suggest that it is prudent to trust any of the products listed here to protect your information from government agents or nation states, or determined cyber criminals.
  2. It still seems reasonable at this point to trust these products for protection from most hacker attacks.
  3. It is possible to inadvertently upload unencrypted files to cloud services using some of the solutions described here. See the notes under BoxCryptor and Viivo in the discussion below.
  4. Operating systems are messy: Echoes of your personal data -- swap files, temp files, hibernation files, erased files, browser artifacts, etc -- are likely to remain on any computer that you use. For example, when you encrypt and compress files, clear-text versions that existed before you compress/encrypt the file or clear-text copies that are created after you decrypt/decompress it may remain on your hard drive. It is not difficult to extract those echoes.
  5. Further advice about how to use encryption are discussed in Encryption is Not Enough, including what you need  beyond encryption to be sure your private data is not lost or exposed.

New encryption applications often appear when an individual reads up on applied cryptography, selects or devises an algorithm, maybe even a reliable open source one, and then implements a user interface, tests the program to make sure it works, and thinks he's done. They are not. Such a program is certain to harbor fatal flaws.

"Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure." --Bruce Schneier, in Security Pitfalls in Cryptography

Related Products

Quick Selection Guide


Gizmo's Freeware award as the best product in its class!

Combines a web service with a stand-alone program
Possibly the most secure choice of products listed here. A cloud storage account is included as part of the service. Tresorit has a clean, simple interface. Sync works quickly and well. Well written support documentation. You can recover previous versions of files. Has worked very reliably for me. Tresorit operates under Swiss laws, and uses Irish and Dutch servers (no Patriot Act).
The number of synced devices is limited to 3 for the free version. Local files are not encrypted (but it's highly unlike that they will be lost in processing).
9.3 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.


Combines a web service with a stand-alone program
Files are encrypted on your computer as well as in the cloud (Dropbox). Integrated nicely with Windows Explorer, so the interface is familiar. Sets everything up automatically during installation.
A recent entry, so little or no independent information about Cloudifile is available. Works only with Dropbox in the present version. Other cloud services will be available in future releases.
16.7 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.


Runs as a stand-alone program on a user's computer
Open-source, which makes independent cryptographic review possible. Simple user interface and discovering features and settings is fairly intuitive. Compatible with a wide range of cloud storage services. Fast sync with the cloud. The wide range of cloud provider choices enables choice of features, functions and price. Client-side files are always encrypted at rest.
The local folder that contains the encrypted files is an ordinary folder. If users place clear-text files directly in that folder instead of the virtual drive they will still be uploaded but will not be encrypted in the cloud.
55 MB
32 and 64 bit versions available
Open source freeware
There is no portable version of this product available.
OSX, Windows, Debian­based Linux (Ubuntu, Linux Mint, etc.), plus iPhone/iPad app (Android app in the works)


Combines a web service with a stand-alone program
Simple to install and simple to use. Clean and powerful with proven encryption. File versioning. Easily tailor what you want to sync and store on each of your devices. Sync and their servers are Located in Canada (no Patriot Act). Also has the "pluses" of Type 1 encryption as referenced in the Introduction section of this article.
The (minor) "minuses" of Type 1 encryption as referenced in the Introduction section of this article.
1.1.7 as of 2016-04-28
3.7 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.

Sync features. Concise but complete users manual. Quick video.

Windows, Mac OS X, plus Andriod and iOS apps


Combines a web service with a stand-alone program
SpiderOak provides 2 GB of free cloud storage, along with client-side encryption. More storage is available for a fee. You can select as many local files or folders as you'd like - within the storage limit- for backup and sync. Your files are remain unencrypted on your synced devices, but are always encrypted before transmission and in the cloud.
SpiderOak keeps previous versions of files you back up - which is good - but those versions count against your 2 GB allocation. Although you can delete old file versions, 2 GB could get to be a little tight eventually. The user interface is logical, but it's a bit complex to discover it all if you want to use more than basic options.
20 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.


Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security (256bit AES). Simple operation. Up to 5 encrypted folders for the free version. Works with most cloud sync/storage services. File sharing is provided too.
Fatal flaw: If files are added to protected folders when Cloudfogger is not running the unencrypted files will still be uploaded by the cloud service. They will not be encrypted there.
1.5.49 (as of 2016.03.15)
10 MB
32 bit but 64 bit compatible
Feature limited freeware
There is no portable version of this product available.
See the downloads page for links to mobile apps for Cloudfogger


Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security. Simple operation. For Windows, Mac, iPhone, iPad, and Android. Some users will find the virtual drive with an assigned letter convenient (but see Cons).
The file system interface could lead to confusion, with files left unencrypted in the cloud (see discussion above). Requires Microsoft .NET. Only one encrypted folder is allowed in the free version, and it is limited to 2 GB.
7.1 MB
32 bit but 64 bit compatible
Free for private use only
A portable version of this product is available from the developer.
Requires Microsoft .NET


Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security. Simple operation. For Windows, Mac, iPhone, iPad, and Android. Some users will find the virtual drive with an assigned letter convenient (but see Cons in the discussion).
The file system interface could lead to confusion, with files left unencrypted in the cloud (see discussion above). Supports Dropbox only at this time.
20.4 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.

This category is maintained by volunteer editor philip. Registered members can contact the editor with any comments or suggestions they might have by clicking here.


encrypt cloud storage file folder

Back to the top of the article.


Please rate this article: 

Your rating: None
Average: 4.5 (42 votes)


Which is more secure, Tresorit or

Tresorit is more seasoned, and it's what I use PoxyVX. I have no definitive basis for deciding which one is more secure. I just hope I've picked the right one.

I would like to be able to encrypt files before uploading them to a cloud service, without keeping a local copy. That is, I would like to be able to park files in an encrypted state on a web storage service of my choice, and not need to keep a copy on my hard drive. It would be amazing to be able to have an account with unlimited storage, like Amazon Drive, and just be able to upload files that I don't need to keep on my computer all the time, but may want to access again at some point. I'm envisioning a program that acts as a sort of middleman with one of these services - rather than having an encrypted folder on your hard drive and in the cloud storage, it would encrypt the file and upload it to the cloud storage. And also act as an interface to allow you to download the files again.

Is there any such program?

Not that I know of boombass. Microsoft may re-enable "placeholders" (web shortcuts) for OneDrive some day. Using placehoulders, you'd upload the file, but retain just the placeholder on your device. You'd simply download it if you needed it in the future. There maybe other cloud storage services that already do something similar.

One of the worst moves Microsoft made for Windows 10 was to removed OneDrive placeholders:

There is a kind of workaround creating a network drive to access OneDrive without having any files downloaded/off-line:

And I have heard that the OneDrive Windows Store App has placeholders but I haven't checked this myself.

I just signed up with . 5GB free plus 1GB bonus for doing five tasks. Website and/or app fully encrypted outside of your computer. Located in Canada since 2011. Don't lose your password - they don't have it and can't restore your files. Website is clean and fast. I am impressed.

Thanks for sharing this discovery DonsEars. I've started to vet/review this service, as it looks quite nice.

Phillip, You compare BoxCrytor and SafeMonk to Cloudfogger, but you never actually talk about Cloudfogger. Maybe you deleted it when editing or something? Hopefully, you have a backup. Also, I'm pretty interested in what you think about Cloudfogger. I just dropped AxCrypt do to the direction they are going and what I consider a very high price. I'm looking for a solution to replace it and Cloudfogger is high on my "maybe" list.

You can now read what I have to say about Cloudfogger. There is one big security concern, but if you just want to encrypt files locally and not upload them to the cloud it works fairly nicely because local encryption is integrated with the file system and you can do your encryption/unencryption with just a right-click in the native file-manager.
Turns out that Cloudfogger appeared to be moribund a couple of years ago. So I removed the bulk of references to Cloudfogger. Maybe it was just a case of a neglected website. They seem to have refreshed the website, and are continuing maintenance of Cloudfogger. So, back to work...
I'm on it DocFallingApart. Thanks for telling me Cloudfogger is missing. Yes I have been heavily editing this article, and I seem to remember not seeing Cloudfogger there myself. Probably lost my mental note. ;)

Wow! Nice update on the article. It's a huge help with finding the right solution for users with varying computer skills. You da MAN! Thanks!

hello all, TRESORIT is not free anymore, please update.
besides, thanks for all the worthfull information !

The free version still exists. MC - Site Manager.
"Do I have to pay to use Tresorit?
You can always switch to Tresorit Basic, offering 3GB of storage for free. You can share securely with a few people, but won't be able to set access permissions, manage other users or set policies. If you wish to start using Tresorit Basic for free, get started here".

I've fixed our link.

Well done MC :-) , but no way (for me) to find the link to this page.
So thank u for the direct one

I guess they wouldn't make the free option easy to find. :D On their main page, scroll down and click the "Pricing" link and then the free link is contained within the "Frequently asked questions" section lower down on that same page. MC - Site Manager.

Just checked out Tresorit, and their free storage is down to 3GB, not 5GB anymore.

Thanks FlyingHawk. Duly noted. Some free ways to increase storage to 5GB after you install Tresorit are still available though.

Wuala has announced they're shutting down. They are recommending that users switch to Tresorit, as they think Tresorit can take good care of their data. Tresorit has a tool to get your data out of Wuala and into Tresorit.

Based on several review sites, we chose Vivo for encryption of corporate files on Dropbox (about 200,000 files with 20 users).

There is no user guide for Vivo and there are 2 versions of the product. Responses by email from the company were minimal.

After two months of frustration and wasted labor hours, we gave up. The software may indeed be as good as the reviews indicate. Add in the costs of implementation since there is no user manual.

Who needs cloud storage if you have a NAS and BittorrentSync ?
You use BTSync to sync the encrypted folder with its content anywhere you go on any mobile or stationary device you use.

Thus far the only tools that can handle this requirement well are encfs (for linux/unix) and boxcryptor (for windows). Big problem I have with boxcryptor is that it's really slow and hogging my OS. Probably because it does all encryption and decryption on-the-fly in memory(?). It doesn't store the unencrypted files anywhere, it's just showing a virtual drive. That is to say, this works with Boxcryptor Classic. The new version is messy, puts your virtual folder one folder deep, I see no advantage in that 'feature' to be honest.

I used to use TrueCrypt, still unbeated in its footprint, don't know how they did that. The virtual drive-letter linked to a tc volume, and it was blazing fast (both directions), I used it with Firefox Portable and many other apps straight from encrypted volume. But it got larger and larger over time. I need one that can handle about 20 GB of space. This you just can't sync, such a volume doesn't even sync while in use (it's locked), so that was not workable for me.
By the way, Gostcrypt seems to be your best bet if you want the TrueCrypt options.

I'm really surprised by the fact that TrueCrypt is the only software capable of encrypting and decrypting with such low memory usage and practically no noticeable performance loss. NONE of the other packages allow me to have a virtual drive-letter open content that is always stored in encrypted state. The only ones that offer this are really slow and sluggish (that is encfs and boxcryptor), plus they have all kinds of security issues (filenames not encrypted, watermarking easy to find out what the key should be etc.)

If anyone has tips on this, let me know.
CryptSync does not work, it always leaves a stored unencrypted folder on my device when not in use, that's definitely NOT what I look for. I need something that leaves my btsynced storage folder always encrypted when my laptop gets stolen etc. except for when I access it as that virtual drive-letter using my passphrase.

Most people don't have a NAS.
CrypSync is the one I'm using. If you worry about local copies, just use TrueCrypt (now VeraCrypt may be more suitable) to encrypt your local hard drive/system.

Thank you for this wonderful article. It helps me a lot.

I'm glad it was helpful Richard.

You are welcome Mr. Philip. I am looking forward to more nice article on this subject. Thank you for your effort.

Warm regards,

Most of the suggestions require some sort of dependency on someone else. I prefer CryptSync to avoid dependencies.

I just attempted to download a file at Mega (one stored there for readers to download as an example in a how-to Android article).

It refused to function with three different browsers (Opera, Firefox and IE), saying that i needed to update to the latest versions.

I verified that my IE was up-to-date, updated Firefox and refused to "update" Opera (since i'm using the last version of what i consider to be the "real" Opera before they completely screwed up the UI and their bookmarks system).

Still, none of them worked - got the same message.

There was, however, a link (which i refused to even mouse over) offering to "update" your browser for you...

To Kahomono:
A very good link. TrueCrypt forever, as far as I am concerned.

Spideroak is fine until you reach the 2Gb limit.

then it gets stuck. It seems impossible to remove anything once you have stored it there and yet it opens and tries to keep updating itself with yoru data changes causing it to just hang.

Upgrading to the paid version would be ok if there were sensible upgrades like 5 or 10gb but the lowest available is 100Gb priced accordingly.