Tresorit has been brought up in multiple previous discussions, but has never actually been looked at. We should probably consider it, because our current cloud storage providers are very lacking: Nextcloud is mostly only good as a self-hosted solution, and neither Proton Drive nor Cryptee have desktop sync clients.
Probably worth noting it’s closed source and owned by the Swiss government.
It’s late so I’ll look at this again later, but at a quick read through their encryption methods appear sound.
This is not necessarily a blocker, but after a brief looking at their pricing, it seems that they only allow you to upload files up to 10GB per file on the Personal plan.
It doesn’t seem to be a technical limitation, because the Professional plan bumps that limit up to 15GB per file.
It feels weird that they would do that unless there’s a specific reason I’m missing. There’s already a limit on overall storage you can use (as there should be), so an individual file limit is a bit jarring.
I use it and I’m pretty happy about it.
Upload and download speed are very fast.
The only bad point for me is 2FA.
No 2UF/FIDO2 support for the moment, but it’s planned (no public ETA)
However, it is mandatory to have two methods, in my case, email and OTP. No recovery code. I think it’s a little pity.
Small precision: It’s legally based in Switzerland, but it’s Hungarian.
Servers for individuals are in Ireland, not Switzerland. (I don’t care personally, but it’s better to know)
This is a good discussion to have.
Tresorit seems to be the most mature end-to-end encrypted cloud storage provider available. In terms of quality on both a personal and business/enterprise level, it is on par with and a serious alternative to Google Drive, Dropbox and OneDrive who do not offer E2EE, as a secure and private file storage and collaboration platform. They offer clients for all platforms and also have email addons/plugins.
They have strong regulatory compliance when it comes to GDPR, CCPA, HIPAA etc. Security seems very good and certified after having undergone an independent third-party audit.
They also offer Tresorit Send as an E2EE file sharing service, which is available as a browser extension as well.
As for its closed source model, needless to say, it’s not an accurate indicator of privacy and security. A great example of this is MEGA which claims to be E2EE and has fully open source clients, yet its encryption was found out to be so weak, broken and full of holes that user data could be easily accessed and it might as well have been stored unencrypted. For those with high risk threat models that are unwilling to trust the provider, using additional client-side encryption tools is always a recommended option before uploading.
Usually we have no reason to recommend a closed source product when a much better, more secure and more practical open source alternative exists, but the cloud storage options are lacking, and while Proton Drive is great and has extremely promising potential to be the best-in-class, it still needs years to fully mature, so this seems worth examining and considering.
They might operate out of Hungary, but the company is owned by the Swiss post office, is the point I was making.
Should be noted though Tresorit has had numerous third party audits unlike MEGA iirc.
One of the specific points here was:
Perform review with specific attention to Tresorit’s claim regarding end-to-end encryption and identify security deficiencies, vulnerabilities, architectural deficiencies or any other deficiency that may potentially undermine this claim.
The latter one covered:
I have been using Tresorit for the past two years and have found the software, ease of use, reliability, and customer service to all be stellar. As far as I know it’s the best middle ground between privacy and functionality out there.
When I signed up I got in touch with them about this. Upon request they increased my account’s file size limit to 20GB but said they weren’t able to go further than that due to technical limitations of the encryption method they use.
This was a couple of years ago now so things may have changed since then, but it’s worth reaching out to their customer service to see if they can provide more details.
In the meantime I had to set up BackBlaze (with my own encryption key) for the extremely large >20GB media files on my NAS.
If you ever get in touch with them about adding them to the recommendations: I think it’s important to ask them when they plan to change the second factor.
Even if on the rest, Tresorit is a reliable solution (in my opinion, the most interesting), it would be the only recommendation that forces to use (as a backup method) sms or email.
Carrying a security key support can take time. Just removing this requirement is quick.
They are more business oriented, but they follow you on twitter, maybe they would be interested and open to recommandations, at least for individual subscriptions.
the closed source nature is a miss imo. swiss gov is irrelevant. one of tresorit’s staff did provide a reason for this via reddit (3 years ago) but ultimately the question is do we take their word that it’s safe despite being closed source?
IMO the audits are probably a better indication of security than it being open/closed source.
Agreed. And until there’s an open source option that matches Tresorit’s reliability, stability, and feature set (maybe Proton Drive in a few years?) … it’s a valuable option.
I’m actually kind of hoping Skiff drive will get there some point, but as its neither open source nor are there any public audits we can’t add it right yet. They do seem to be things that the authors are interested in though.
Filen doesn’t have any audits yet either mentioned on their site.
2 posts were merged into an existing topic: Peergos - Private storage, sharing, social media and application platform
Status: In Progress → Done