Drime Cloud falsely advertises “zero-knowledge” encryption

I understand people and companies make mistakes, but you can get an idea about company honesty when you see how they manage it.

Yesterday on ( Reddit - The heart of the internet ) they said:

but you can see many Google results show ZK header:

they even have a blog post:
drime.cloud/blog-posts/5-best-end-to-end-encrypted-cloud-storage-that-keeps-your-data-private-in-2025

where they say:

“For users with highly sensitive information, Drime Vault provides zero-knowledge, end-to-end encryption where files are encrypted on your device before upload.”

… so yet again they lie. It’s not just “old marketing header”. They were consistently using zero-knowledge encryption.

If I was them I would simply acknowledge that mistake was made and try to fix ASAP.

Instead they blame the author of these findings: “document you shared contains several inaccuracies”, “we have already contacted author … but never received a reply”.

I guess they’re trying to sweep it under the the rug, so they can preserve nice image and lure even more people into Black Friday Lifetime plans.
Question is how long they last when they run out of money from the initial Lifetime funding - they sell it way below operating costs, it’s not sustainable. They will need to keep selling new Lifetime to keep the lights on, but that’s even less sustainable.

I like the clarification that they’ve addressed the zero-knowledge question before, though they only started saying it after my post.

To anyone from the Drime team reading this, I’d genuinely like to see the detailed response you mentioned sending me. It’s possible it got lost in my inbox, so if you could resend it to sylphie@tuta.io, I’d really appreciate it. Thanks!

Well, thumbs up for you to have patience to talk with them.

Two more examples of their lie: “There was an old marketing header that caused confusion, it was corrected as soon as it was reported.”

I think it’s more than just a marketing header if they have plenty of pages that explicitly mention how zero-knowledge they are.

I believe it makes sense to stash versions here, as with their approach, they will edit pages and later make fool of you.

and one more: drime.cloud/blog-posts/7-most-secure-end-to-end-encrypted-cloud-storage-services-tested-in-2025

”Drime offers its “Vault” feature—a fully end-to-end encrypted storage area with zero-knowledge architecture.”

except that their Reddit post says: “For now, Drime Vault offers end to end encryption, but it is not zero knowledge. We have said this many times”

====

This gives many user rights to withdraw from the agreement and ask for their money to be returned, as clearly they were misled by their catchy marketing.

I wouldn’t be surprised if some users decide to report them: SignalConso, a public service for consumers in Europe there are pretty strong consumer rights.

For anyone that would like to build their own Drime-like company and sell “zero-knowledge” lifetime plans for $$, you can get the exact PHP script that they use:
https://codecanyon.net/item/bedrive-file-sharing-and-cloud-storage/12700384

There is actually promotion right now where you can get it just for $29

On a serious note, this might invite other technical people to actually review their code and find some security shortcomings.

I didn’t know about this ‘BeDrive’ but Drime seems to match ~95-98% of the backend code from BeDrive, except for the vault, which BeDrive doesn’t have

BeDrive(with the blue bg) > Drime

So they basically bought a $29 file-hosting script, bolted a ‘Vault’ feature on top of it, and slapped a ‘Military-Grade Security’ and ‘Zero-knowledge’ label on the homepage

They’re trying to call their code secure when their entire core foundation was bought off CodeCanyon and was never architected for privacy, also explains why the metadata was in plaintext.

This is deceptive marketing at its finest, no Drime, this isn’t military grade security, just a $29 template.

And don’t even get me started on the ‘Vault’ which is just a UI gate(using the check hash sent by the server), since the server holds the encryption keys, they can decrypt your files at any time. Whether it’s a warrant or just a random admin getting curious, they can access everything at will. Real privacy means you hold the keys, not the company.

also for the funnsies, the file id hash is encoded with plain base64
and guess who has this exact code? you guessed it, bedrive!

(the orange text is the hash directly from drime)
MzQ0NDZ8cGFkZA > 34446|padd

all the code does is add the characters ‘|padding’ at the end until it reaches 10 characters, if it’s at 10 characters already, it adds 0 padding. this isn’t encryption, it’s a PHP homework assignment

the ’34446’ number is probably how many files there have ever been uploaded*(I mistakenly said it’s the amount they’re hosting right now, it’s not)* inside of their ‘Vault’ since that’s where I made the request in(also outside vault it’s 482,280,015 files, which seems to be inflated, i’d say the real count is probably 2,280,015 files if they manually set it to 480m, because they only have 19k users at the moment, and it’s practically impossible for only 19k users to upload 482m files)

so 34k files in the vault, not bad drime!

seems like security(and honesty) is really taken seriously over there!

EDIT: I have updated Analysis of Drime Cloud's E2EE and Zero-Knowledge Claims with part 2 & a message to the Drime founder as well

I’ve just went ahead and officially archived the repo, as it’s been over a week, and no one from Drime emailed me with the “inaccuracies” and the “document” that they had on me… To the surprise of ……… absolutely no one.

I really thought they were gonna show that document but dang it!! They don’t really care about their users do they now?

Anyways, Drime is breaking the laws for Deceptive Commercial Practices, Fraud, multiple GDPR Violations(specifically Transparency, Integrity, Confidentiality, and misrepresentation of ‘Military-Grade’ security measures), and EU Digital Content Directive.
You can read the full report on the github page

Sounds like a responsible company, doesn’t it? I know right? Exactly the kind of people you’d want to trust with your private data

Based off the ambiguous wording, they in fact never reached out, very disappointing.. Let’s see what they have to say later.

Well they reached out to me now

And sent this screenshot as “proof” that they reached out to me. With a censored email address that is most likely not mine, in the email they sent me they claimed “someone else was contacting us about this, so we thought this was you”

Drime continued with “it was a mistake by a non-technical team member”, ah yes I also accidentally advertised my product as zero knowledge when it isn’t. Also the user that pointed that out was me Drime.

Again, claiming they “scanned” the whole website when this is still live: 7 Most Secure End-to-End Encrypted Cloud Storage Services [Tested in 2025] - Drime | Secure, simple and collaborative cloud storage

Also they didn’t update their SEO for Google since Google still shows Drime is zero knowledge.
Then they go on to say that they changed a lot from BeDrive, because they added:

The features in the red box are the only ones they added from BeDrive. Yet they still go on and claim that they added “Video streaming” or “Parallel uploads” when BeDrive has these as well, not entirely accurate.

Regarding the encryption architecture, I have accepted Drime’s explanation regarding the database IVs and removed that section. However, their technical disclosure revealed a specific, verifiable security vulnerability: they said they use PBKDF2-HMAC-SHA256 with only 250k iterations for the vault password, which is insecure.

The Open Worldwide Application Security Project (OWASP) recommended at least 600k iterations(in 2023), and Drime is using less than half & many security experts consider PBKDF2 inferior to modern algorithms like Argon2id or Scrypt.

Next about the data inflation, which I changed to “Suspected Artificial Data Inflation” because once again, 482M vs 34k files in vault is a huge difference.

Finally, Drime is still claiming they’re E2EE because their file contents are encrypted. This again a flawed definition by Drime, because in a privacy product, metadata is often as sensitive as the content itself, by leaving metadata exposed to the server, Drime fails to provide true E2EE.

My full email to them is on the Github page

So yes, the main point that Drime isn’t “zero knowledge” still stands and that they falsely advertised it

The unfair part is that you’re transparent - you share proof, explain your reasoning, and correct yourself if you find mistakes.

Drime, on the other hand, relies on vague claims, lies, and spin. They’ve been caught multiple times but keep minimizing the damage and stretching the truth.
They try to make fool of you, that’s not fair, they lie that “they’ve communicated with you, but you haven’t replied!”

At this point, being polite with them probably won’t help. They don’t seem interested in real transparency and appear focused on short-term gain and damage control.
You seem to be giving them a lot of the “benefit of the doubt” - unfortunately they’re acting like a malicious actor and only abusing that.

It’s probably far more useful to highlight their deceptive practices, keep them documented, archived and warn users.
Companies can make mistakes, but responsible ones admit them and work to fix them.

Drime seems to prioritize profit over honesty and user safety.
Whatever you’ll flag, they’ll simply edit out from their pages (as they did multiple times now), reject the claim and call it a day, until they’re caught again and again.

Hi @Freminet,

It seems that all your findings about: https://freminet.github.io/drime were taken down.
I believe it was a valuable chronological summary about dishonesty and false advertisement.

Have they threatened you or what happened?

It’s been archived though: Analysis of Drime Cloud's E2EE and Zero-Knowledge Claims