Client-Side Encryption

Client-side encryption (also called zero-knowledge encryption) means files are encrypted on your device using a key the cloud provider never sees, before being uploaded. The provider stores only ciphertext blobs. Even a fully compromised provider, a court order, or a malicious operator cannot read your files. This is fundamentally different from server-side encryption, where the cloud encrypts files at rest with the cloud's own key. Server-side encryption protects against physical disk theft from the data center but does nothing against the cloud operator itself. Tools that do this well: Cryptomator (encrypt before upload to any cloud), Proton Drive (E2EE built in), Tresorit (paid, polished), Filen, MEGA. The key to verify: who holds the encryption key? If the answer is "the provider, and they encrypt for you," it is server-side, not client-side.