← Blog
Cloud security5 min read

Why traditional clouds can still access your files

TLS, encryption at rest and SOC 2 reports do not prevent your provider from reading your files. Here is what actually does.

Try it in one click.

Three private surfaces. Same zero-knowledge architecture.

"Encrypted in transit and at rest" is not enough Most consumer cloud services describe themselves as encrypted. What they typically mean is: - TLS protects data while it travels between your device and their servers. - Disk-level encryption protects data while it sits on their storage.

Both of these are useful. Neither of them prevents the provider from reading your files. The keys to both layers belong to the provider.

Where plaintext lives in a traditional cloud - In RAM when files are processed for previews, search indexing, or AI features. - In any service that operates on your content (thumbnail generation, OCR, virus scanning, recommendation). - In backup pipelines. - In logs, if not carefully scrubbed.

What zero-knowledge changes A zero-knowledge architecture means the provider never receives plaintext. Files are sealed on the client and stored as ciphertext. Previews, search and sharing are designed to operate on encrypted material.

The practical consequence A subpoena delivered to a traditional cloud can return readable contents. The same subpoena delivered to a zero-knowledge service can only return ciphertext.

The architectural reason, not a policy choice When a traditional cloud receives a file, it is decrypted at the edge so the provider can index it, scan it, deduplicate it, generate previews and apply server-side features. The data sits readable on disk under provider-managed keys — usually KMS-managed, but still keys the provider controls. That is an architectural fact, not a privacy stance.

What "encrypted at rest" really protects Encryption at rest protects you from a stolen hard drive in a datacenter. It does not protect you from the provider itself, from a rogue employee with admin access, from a subpoena, or from an internal AI pipeline tagging your photos. Same key, same custodian.

The DRIVUNO inversion With zero-knowledge encryption before upload, the server never sees plaintext, never holds the key, and cannot fulfil a request to decrypt — not because of policy, but because the cryptographic material does not exist on its side. The change is structural, and it is the only honest answer to "can you read my files?".

Try it in one click.

Three private surfaces. Same zero-knowledge architecture.

Encrypted on your device · upload in 1 click
Upload