Your storage.
Our encryption.
Your key — and only yours.
Link your existing Dropbox, Google Drive, or OneDrive. Cloud Enclave encrypts every file in your browser before it leaves your device — with a key we never see, stored where you already trust.
Your files are probably
being read right now.
Every major cloud service stores your files in a way that lets them — or anyone who compromises them — read your content. Here's why the status quo isn't good enough.
They hold the master key to your files.
That means they can read every file you upload. So can their employees, advertisers, and anyone who obtains a court order — or hacks them.
Complex setup. Fragile workflows.
PGP, VeraCrypt, manual key management — real security tools demand real expertise. One mistake and your data is exposed or permanently lost.
Hard to verify. Easy to fake.
Many services claim zero-knowledge but still encrypt your files on their servers — you just have to trust their word. Cloud Enclave uses open-source encryption you can inspect yourself, running entirely in your browser.
Private cloud storage in three simple steps
No setup. No expertise required. You get the security of military-grade encryption with an experience as simple as any cloud drive.
Connect your cloud vault in seconds
Choose a provider and connect your account. Cloud Enclave requests only the bare minimum permissions to store and retrieve your encrypted files — nothing else. Add as many accounts as you like.
Minimal permissions · Multi-account · No data collectedYour browser locks the file — not our servers
Before a file leaves your device, it is encrypted right in your browser using your password. We never see the original file, your password, or the key used to lock it. Nothing readable ever reaches us.
Encrypted on-device · Password stays local · We see only locked dataLocked files go to your vault. You hold the key.
The encrypted file lands in your own cloud storage — not ours. When you want it back, your browser decrypts it locally using your password. At no point does the readable version touch our servers.
Stored in your vault · Decrypted in your browser · We never see the contentsPrivacy you can feel.
Security you can trust.
Cloud Enclave was built around one idea: your files should be yours alone. No compromises, no fine print, no "trust us".
Your files stay yours — stored in your own vault
We don't host your files. They live in your own cloud storage, encrypted before they ever leave your device. We never see what's inside — and without your password, neither can anyone else.
We never see your credentials — not even at login
When you sign in, your password never travels across the internet. Your browser proves you know it without ever revealing it. It's mathematically impossible for us to steal it.
One compromised file never puts the others at risk
Each file is locked with its own unique key. Even if one were somehow accessed, the rest of your vault stays sealed. No shared keys, no domino effect.
If anyone tampers with your files, you'll know
Every file is cryptographically signed on upload. If even a single byte changes — whether from corruption or tampering — the file will refuse to open. Your data is either perfect or flagged.
Your files open on your screen — nowhere else
When you download a file, it's decrypted right in your browser. The readable version never touches our servers. We send you locked data — your device does the unlocking.
All your accounts, one place
Connect accounts across all your supported providers — personal, work, client. Each appears as its own encrypted vault in the sidebar. One login, everything organised.
Big files upload reliably, every time
Sending a 2 GB folder? No problem. Files upload in the background so you can keep working. You'll see live progress and get notified when everything's done.
Lost your device? Cut off access in seconds
See every active session across all your vaults and revoke them individually — or all at once. Travelling or sharing a computer? One click closes every door except the one you're using.
Always know which files are protected
Encrypted files get a .cencl extension so they're instantly recognisable anywhere in your vault. No guessing, no confusion — what's protected is always obvious.
Built for paranoia.
Designed for everyone.
Our cryptographic stack is implemented in Rust, compiled to WASM, and runs exclusively in your browser. Here's exactly how it works.
AES-256-GCM
Authenticated encryption with unique IVs per chunk. Provides both confidentiality and integrity — any tampering is detected before decryption.
Argon2id Key Derivation
Argon2id (64 MiB memory · 3 iterations · parallelism 1) derives your encryption key from your password. The memory-hard design resists GPU and ASIC brute-force attacks. The derived key never leaves your browser.
HMAC-SHA2 Challenge Auth
Zero-knowledge login: the server issues a nonce, your browser responds with an HMAC proof. Correct password demonstrated — never transmitted.
Rust WASM — No JS Crypto
Cryptographic operations run in a compiled Rust WASM module via a Web Worker. Native performance, constant-time operations, no pure-JS crypto vulnerabilities.
Uploading file
Don't take our word for it.
Verify it yourself.
We built Cloud Enclave on a simple principle: you shouldn't have to trust us. The encryption is transparent, the libraries are open-source, and the proof is in your browser's network tab.
Audited open-source crypto
Our encryption runs on RustCrypto — independently audited, battle-tested libraries used by millions of projects worldwide. We wrote zero novel cryptography.
Read the NCC Group audit →No VC funding. No data incentive.
Cloud Enclave is bootstrapped. We have no investors demanding growth at any cost, no advertising business model, and no reason to monetize your data.
Verify it yourself
Open Developer Tools in your browser while uploading. You will never see plaintext in any network request — only encrypted bytes. Our zero-knowledge claim is observable, not just stated.
Your files live in your own cloud storage
We don't host your files — they live in your own connected storage account. You own the storage, you control the account, and your encrypted files are always accessible to you directly.
We didn't invent our own cryptography — we built on the same battle-tested libraries trusted by millions of projects worldwide.
I built Cloud Enclave because I needed it myself — I wanted the cloud to handle my files, but I wasn't willing to let it see what was inside them."
I'm a software architect with a background in web applications and security. After spending years watching "zero-knowledge" become a marketing buzzword with nothing behind it, I decided to build something that invites you to verify every claim in real time — straight from your browser's DevTools. Cloud Enclave is bootstrapped, independent, and built to earn your trust one auditable detail at a time.
Start free. Upgrade when ready.
One vault to start. Unlock everything when you're ready. No credit card required — pro features are in development, join the waitlist for early access.
Free
Everything you need to keep your personal files private — no strings attached.
- 1 vault (any supported provider)
- Unlimited encrypted files
- Military-grade encryption
- Password never leaves your device
- Revoke cloud access anytime
- Community support
Enclave
For people who take privacy seriously — across every provider, every account, every device.
- Unlimited vaults
- Any supported provider per vault
- Everything in Free
- Priority email support
- Early access to new features
- Encrypted cross-device sharing
All plans use the same AES-256-GCM encryption. There is no "lite" security tier.
Your files deserve privacy.
Start free today.
No credit card. No limits on encrypted files. Connect your cloud vault in under a minute — and take back control of your data.
Your password never leaves your browser. We can't read your files — even if we wanted to.
Can Cloud Enclave read my files?
No — and this is by design, not just policy. Your files are encrypted in your browser before they ever reach us. The key that locks them is derived from your password and never leaves your device. What we store on our servers is locked data that is meaningless without a key we never have.
What happens if I forget my password?
This is what zero-knowledge actually means — even we cannot help you. That is the point, not a limitation. If we could reset your password, we could also read your files. We chose to make that mathematically impossible. Store your password in a dedicated password manager such as Bitwarden (free and open-source) or 1Password, and you will never face this situation. Zero-knowledge encryption is only as strong as the password you protect.
Where are my files actually stored?
Encrypted files are stored in your own cloud storage account. Google Drive is supported today — more providers are on the way. Cloud Enclave stores only encrypted file metadata (filename hash, size, encryption parameters) in our database — never file content. You remain the owner of the storage.
What encryption does Cloud Enclave use?
The same standard used by governments, banks, and militaries worldwide — AES-256. On top of that, every file is authenticated, meaning if anyone tampers with even a single byte, the file will refuse to open. Your encryption key is produced from your password using a memory-hard algorithm specifically designed to make brute-force attacks computationally impractical. For the technically curious, the full stack is detailed in the Security section.
Can I connect multiple accounts or providers?
Yes. On the free plan, you get one vault connected to any supported provider. Upgrade to connect unlimited vaults across as many accounts and providers as you need. Each appears as a separate encrypted vault in the sidebar with its own OAuth connection and session tokens. You can revoke access to any vault independently. Google Drive is supported today — more providers are coming.
How does login work without sending my password?
Cloud Enclave uses a zero-knowledge challenge-response protocol. When you log in, the server issues a random nonce and a bcrypt salt. Your browser computes a bcrypt hash of your password with that salt, then produces an HMAC-SHA512 proof using the nonce. The server verifies the proof without ever seeing your password or your encryption key.
Will I always have to type a password for each file?
Not forever. Right now you provide a password each time you lock or unlock a file — that password is used to derive the encryption key on the spot. Passkeys are on our roadmap: your device (Face ID, Touch ID, Windows Hello, or a hardware key) will derive that key automatically, so your vault opens without typing anything. The zero-knowledge guarantee stays intact — the key still never leaves your browser. Existing password-based vaults will have a migration path when passkey support launches.
Is the encryption code auditable?
Yes. The Rust cryptography implementation in our WASM module uses well-audited crates: aes-gcm 0.10, argon2 0.5, and hmac + sha2 from the RustCrypto project. These are open-source libraries with independent security audits.
What data does Cloud Enclave store about me?
We store your username, a one-way hash of your login credentials (never your actual password), encrypted file metadata, cloud storage access tokens, and session tokens. We never store your encryption key or any readable file content. Your files themselves live in your own connected cloud storage.