What is the best encryption for cloud storage?

If you’ve ever stored documents or images on the internet, then you’ve relied on cloud encryption to keep your files safe. Proton Drive, Dropbox, Google Photos, and iCloud are all examples of cloud storage services that use some form of encryption to protect your data on the cloud.

Cloud encryption turns your files into unreadable ciphertext to prevent unauthorized access while it’s traveling over the internet and stored on the provider’s servers.

The security and privacy of your files rely upon this encryption, but the encryption method used to protect your files and how it was implemented depends on which service you use. This can make a big difference, as some encryption methods are stronger than others. 

This article explains the different types of encryption and how various cloud storage providers use them to protect data. It covers the following:

• Types of encryption for cloud storage
• How does end-to-end encrypted cloud storage work?
• What is the best encryption for cloud storage?
• How to use encrypted cloud storage for your files

Learn what the “cloud” means

Types of encryption for cloud storage

If you’re new to cryptography, the process of mathematically locking and unlocking packets of data can be complicated. This article describes cloud encryption in a way that’s easy to understand. If you’re looking for a more technical explanation of how Proton handles cloud storage encryption, you can read the Proton Drive security model. 

Encryption allows you to send, receive, and store information in a way that only makes that information readable to people with the correct key. 

If your files are encrypted, they’ll remain unreadable even if an attacker can somehow access them. The only way the attacker would be able to read your encrypted files is if they were able to somehow break the encryption or steal the correct encryption key. 

Encryption covers data in its two basic states:

• Data in transit — This is data that’s being sent between servers, often outside a secure network or over multiple networks. Think of how your email goes from your computer to your email service to your recipient’s computer.
• Data at rest — This refers to data that’s being stored and not used or moved. Data can be stored on your device, on a disk or thumb drive, on a data center server, or in cloud storage.

There are also two main types of encryption, and the type of encryption you use depends on whether you’re protecting data in transit or data at rest.

Symmetric and asymmetric encryption

When you store your files on the cloud, you take the following steps:

1. You select a file from your device to upload. For this example, let’s imagine it’s a photo from your desktop. 
2. That photo is broken into bits of data used in transit, called packets, to be sent over the internet.
3. Your photo’s data packets travel over multiple servers until it reaches your cloud storage’s server.
4. Your photo is then filed and stored on your cloud storage’s server, where you can safely access it again.  

To remain secure, your photo must be encrypted as it travels over the internet so hackers and governments can’t see it. It should also be encrypted on your cloud storage provider’s servers, so it’ll be safe if there’s a breach of the server.

To do this, cloud storage services typically use a combination of symmetric and asymmetric encryption.

Symmetric encryption — With symmetric encryption, the same key is used to encrypt and decrypt data. It works extremely quickly to protect large amounts of data. This is great for encrypting files at rest. An example of symmetric encryption is AES encryption(новое окно).

Asymmetric encryption — Asymmetric encryption (also known as public-key encryption) uses two different keys to encrypt and decrypt data: a public key and a private key. The public key is widely available, but its corresponding private key is only known to the person meant to decrypt the data. This makes it possible to securely encrypt data in transit, but this kind of encryption is much slower. An example of asymmetric encryption is elliptic-curve cryptography. 

If you’re interested in the math behind these different types of encryption, check out this explainer(новое окно).

Many protocols use both symmetric and asymmetric encryption

The main drawback of asymmetric encryption is that it requires a large amount of processing power. Because of this, encrypting anything larger than some lines of text using asymmetric encryption is prohibitively time-consuming. 

That’s why the TLS protocol only uses asymmetric encryption to encrypt the symmetric key that’s actually used to encrypt your connection. The symmetric encryption key is tiny, meaning it’s small enough to be quickly encrypted using an asymmetric cipher. (This is a simplified overview of a TLS connection that doesn’t go into handshakes or TLS/SSL certificates.)

TLS is the backbone of the internet, and it’s used to encrypt all HTTPS connections. Almost any file you send to a cloud storage service will at least be encrypted using TLS. It’s also important to note that, as its name suggests, the Transport Layer Security protocol (TLS) is only used to protect data in transit. Once it arrives at its destination, in this case, your cloud storage provider’s server, TLS’s job is done, and the data is decrypted. 

Most cloud services take the data that TLS decrypted and use symmetric AES cryptography to protect files on their servers since it requires less computing power.

Let’s revisit the example of uploading a photo to the cloud from earlier and add in the encryption steps a typical cloud storage service takes:

1. You select a photo on your desktop to upload to the cloud.
2. The photo is broken into packets for transit. Each of the packets is encrypted by TLS and locked with a single-use session key. 
3. Your browser encrypts that session key with your cloud service’s server’s public key. Then it sends the encrypted session key and your photo’s encrypted data packets across the internet to your cloud service’s server.
4. The server uses its private key to decrypt the session key. Then it uses the session key to decrypt your photo’s data packets.
5. Usually, the server will then re-encrypt your photo using AES for storage.

This system is functional, but it’s not the most secure implementation of cloud storage encryption. That’s because your cloud service encrypts your photo using keys they control, meaning it can decrypt it whenever it wants. This also means that if there’s a data breach, the keys will likely be affected along with your file, meaning whatever is stored on the server can be decrypted. 

This is like keeping the safe and the key to the safe in the same room — not too helpful if somebody breaks in.

How does end-to-end encrypted cloud storage work?

End-to-end encryption is a form of asymmetric cryptography that ensures data remains encrypted throughout its journey from a sender to the designated recipient. PGP is the most widely used form of end-to-end encryption and incorporates both symmetric and asymmetric encryption.

With TLS, for example, your device and the server are the two “ends” of the encryption journey. But there’s another way to implement end-to-end encryption in which files are encrypted on your device using your own public key before being sent to the server. Only your private key can decrypt the files. This way, your data is inaccessible both in transit and while stored on the server.

If we revisit the photo uploading example, this time using end-to-end encryption, this is what it looks like:

1. You select a photo on your desktop to upload to the cloud.
2. The photo is broken into packets for transit. Each of the packets is encrypted using your public key. 
3. These encrypted packets undergo the previously described TLS encryption process and are sent across the internet to your cloud service’s server.
4. The server receives the packets and decrypts the TLS encryption. However, your data is still encrypted using your public key.

In this example, your cloud service’s server doesn’t possess the key needed to decrypt your photo, your private key, which resides on your device. This means it can’t decrypt your photo for any reason. And, if there’s a data breach, your photo will remain securely encrypted. 

What is the best encryption for cloud storage?

Clearly, you need a combination of encryption standards to protect your data in the cloud. No single type of encryption is best because they all have different functions: AES is both efficient and extremely secure. TLS protects data in transit. PGP incorporates elements of both.

However, any cloud storage system that does not use end-to-end encryption is fundamentally less secure. When a server has access to data, anyone with access to the server and the key can access the data.

Cloud storage companies go to great lengths to secure their servers, but data breaches are common, and not even the NSA is immune(новое окно) to hackers.

Moreover, only end-to-end encryption can ensure your cloud storage provider doesn’t abuse your data. For example, Google uses automated scanning to read every document and look at every image you store on its platforms. End-to-end encryption, on the other hand, ensures your files remain private.

How to use encrypted cloud storage for your files

One way to use end-to-end encryption for your files is to encrypt them yourself on your device before uploading them to a non-private cloud storage service, such as Dropbox or Google. There are third-party encryption apps that will allow you to encrypt individual files.

But the easiest way is to simply use a cloud storage provider that offers end-to-end encryption.

Like all Proton services, Proton Drive uses end-to-end encryption to secure your files on your device before storing them on our servers. When you want to share a file with someone, those files are end-to-end encrypted too. 

Proton Drive handles all this encryption automatically, making it simple to use. You simply drag and drop your files into Proton Drive, and it handles the rest. You can also share large files for free.

Get started with secure cloud storage

FAQ