Every major cloud storage provider will tell you your files are encrypted. It is true, and it is also close to meaningless on its own. The question that actually decides your privacy is not whether files are encrypted, but who holds the key that decrypts them.
"Encrypted" is not the same as "private"
When a provider says your files are encrypted at rest, it usually means the provider encrypts them with a key the provider keeps. That protects you against someone stealing a hard drive from a data center. It does not protect you from the provider itself, from anyone who compromises the provider's systems, or from anyone who can compel the provider to hand data over.
If the service can show you a thumbnail of your document, search inside your files, or recover everything after you forget your password, then by definition the service can read your files. None of those features are possible on ciphertext alone.
The real question is custody
Think of encryption keys the way you think of house keys. What matters is not the quality of the lock alone; it is who has a copy of the key. For cloud files there are three honest answers, and each is a different trade-off between convenience and privacy. Privatt implements all three as explicit vault modes, because we think you should make this choice knowingly rather than inherit it silently.
1. The provider holds the key
This is how most mainstream cloud storage works, and it is what our Managed by Privatt mode does. It is the easiest option: sign in from any device with nothing extra to remember and no risk of locking yourself out. The trade-off is stated plainly: because we hold the key, Privatt can read your files, which also lets us scan them for malware. This option is not zero-knowledge, and any provider offering these conveniences should say the same.
2. Only you hold the key
In our Your devices only mode, your key is derived from a passphrase only you know, on your device. Files are encrypted before they leave, and Privatt stores only ciphertext we cannot open. This is end-to-end, zero-knowledge encryption: the most private option, with a cost that deserves honesty. If you lose both your passphrase and the one-time recovery key you saved at setup, no one can restore your data. Not even us. That is not a support failure; it is the direct consequence of a vault only you can open.
3. Two keys, one vault
Our recommended default is the Two-key vault. Like a bank safe-deposit box, opening your vault takes two keys: yours, derived from your passphrase, and Privatt's. Neither of us can open it alone. A breach of stored data is worthless to an attacker without both keys, and Privatt alone can never read your files. You still keep a passphrase and a recovery key, but the model tolerates more real-world mess than a purely self-held key while conceding far less than provider custody.
Questions to ask any provider
- Can you reset my password and give me my files back? (If yes, they hold a key that opens your data.)
- Is the content of my files ever readable on your servers, even briefly?
- What exactly happens if I lose my credentials? A hard answer here is often a good sign.
- Can I take my files elsewhere at any time, with no lock-in?
Choose the trade-off on purpose
There is no single right answer. Provider-held keys buy convenience, self-held keys buy privacy, and a two-key design buys most of both. What matters is that the choice is yours, that it is explained honestly, and that the mode's limits are printed where you can read them, not buried in a whitepaper. That is the standard we hold ourselves to at Privatt, and the one you should hold over any provider that stores what matters to you.