Cloud storage is ubiquitous: Google Drive, Dropbox, and OneDrive are household names. However, these services do not provide end-to-end encryption (E2EE), meaning that the provider has access to the data stored on their servers. The promise of end-to-end encrypted cloud storage is that users can have the best of both worlds, keeping control of their data using cryptographic techniques, while still benefiting from low-cost storage solutions.
However, previous analyses of MEGA and NextCloud have shown that even the largest providers of E2EE cloud storage are affected by cryptographic vulnerabilities and creating secure E2EE cloud storage is a harder problem than initially thought.
Indeed, we show that the current ecosystem of E2EE cloud storage is largely broken. We conduct a cryptographic analysis of five major providers in the field, namely Sync, pCloud, Icedrive, Seafile, and Tresorit, in the setting of a malicious server. We unveil severe cryptographic vulnerabilities in the first four.
The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext. Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.
The study of ETH Zürich’s world-class research team examined the possibility of ten classes of attacks on end-to-end-encrypted cloud storage systems, including confidentiality breaches and file injection vulnerabilities. The findings confirmed that Tresorit’s thoughtful design and cryptographic choices made our system largely unaffected by these attacks. While we are pleased with these results, we also recognize the untapped potential the research highlighted.
Presenting public key fingerprints to users when sharing folders is on our 2025 roadmap. This will completely prevent key replacement attacks by allowing out-of-band verification. We already do this for business invitations so the user can get cryptographic evidence about their future data administrator before joining. Our Common Criteria EAL4 + AVA_VAN.5 evaluated client software — a first among cloud storage services — requires out-of-band key authentication for folder sharing, too.
Even though some metadata, such as the file size, the time of last modification, and folder memberships are shared with the servers, these are also stored as cryptographically authenticated data to prevent tampering. This metadata is also needed to be known on the server side: for the proper bookkeeping of our customers’ storage quota, and to enforce server-side access rules as an additional layer of security.
At Tresorit, security is our top priority, and we are committed to continuous improvement, using these insights to strengthen our platform further. This research not only helps us evolve but also guides the broader industry toward more secure solutions. Security is the foundation of everything we build, and we are proud to collaborate with academic institutions like the Technical University in Budapest to ensure that we stay at the forefront of innovation in secure cloud storage.
Cryptography: Not explicitly detailed, but uses per-user public keys for sharing.
Key Hierarchy: Master key (K_master), Profile key (K_profile), Group key (K_group), Folder key (K_folder), File key (K_file), Link key (K_link)
Sharing: Uses per-user public keys (unauthenticated)
Vulnerabilities Found: Unauthenticated public keys, Tampering with file metadata
The analysis reveals significant vulnerabilities in most of the providers, primarily stemming from a lack of proper authentication of keys and ciphertext, and the use of insecure cryptographic primitives or modes of operation. These vulnerabilities allow a malicious server to compromise confidentiality, integrity, and authenticity of user data.