A direct answer to a question most users never ask: in a traditional cloud, the provider can technically read your files. Here is exactly why — and what changes with zero-knowledge.
Try it in one click.
Three private surfaces. Same zero-knowledge architecture.
The short answer
In a traditional cloud, yes — the provider can technically read your files. Not necessarily routinely, and not necessarily by a human, but the architecture allows it. In a zero-knowledge cloud, no — the provider holds only ciphertext and has no decryption path.
Why traditional clouds can
- They hold the encryption keys for data at rest.
- They run server-side features that operate on plaintext: previews, search indexing, OCR, virus scanning, AI features.
- They have support and administrative tools that can access account contents under defined conditions.
- They can be compelled by legal process to disclose plaintext content.
Why zero-knowledge clouds cannot
- Encryption keys are derived on the user's device from a password the provider never sees.
- Files are encrypted on the device before upload.
- Servers store only ciphertext and minimal metadata.
- Sharing is implemented via recipient-keyed envelopes, not server-readable links.
A quick mental model
A traditional cloud is a hotel: the staff have master keys, and trust depends on policy and behaviour. A zero-knowledge cloud is a safe deposit box where you hold the only key: the staff can move the box, but they cannot open it.
What this implies for you
- For everyday, non-sensitive files, a traditional cloud is fine.
- For sensitive personal documents, NDA-bound work, identity papers and family archives, a zero-knowledge vault is the appropriate place.
The honest answer for traditional cloud
Yes. Architecturally, providers like Google, Microsoft, Apple and Dropbox hold the keys that decrypt your files. They publish responsible policies about *when* they will read them, but the *ability* to read is built in. That ability is what gets exercised by automated scanners, support tools, subpoenas, and — occasionally — by mistake.
The honest answer for zero-knowledge cloud
No. Not because of a promise, but because the keys do not exist on the server side. There is no decryption path to exercise.
How to test a vendor
Ask: "If I forget my password, can you recover my files?" If the answer is yes, they hold the keys. If the answer is "no, but here is a recovery key you generated locally", they don't. DRIVUNO's answer is the second one.
Try it in one click.
Three private surfaces. Same zero-knowledge architecture.