How to Send Sensitive Files Without Trusting the Cloud

← Back to Blog

Every day, millions of people share sensitive documents through cloud services like Google Drive, Dropbox and OneDrive. Tax returns, medical records, legal contracts, identity documents — all uploaded to servers controlled by someone else. Most users assume their files are private. They are not.

The uncomfortable truth is that every major cloud storage provider has the technical ability to read your files. They hold the encryption keys. Your data is "encrypted at rest," but that encryption protects the provider from outside attackers — not from the provider itself.

The Trust Problem with Cloud Storage

When you upload a file to Google Drive, the file travels over an encrypted connection (TLS) and is stored encrypted on Google's servers. This sounds secure. But Google manages the encryption keys, which means Google's systems can decrypt your files at any time.

This is not a hypothetical concern. Cloud providers routinely access your data for several reasons:

Content scanning. Google, Microsoft and others scan uploaded files for malware, illegal content and policy violations. This requires decrypting and reading the file contents.
Advertising and analytics. Some providers analyze file metadata and content to build user profiles. Google's privacy policy explicitly reserves this right.
Legal compliance. When a government issues a subpoena or court order, the provider can hand over your decrypted files because they hold the keys.
Employee access. Internal employees with sufficient privileges can access user data. Every major provider has had incidents of employee misuse.

Consider this: When you share a Google Drive link with a colleague, both of you trust Google not to read the document. But Google can — and in some cases, does — access it. You have no technical guarantee of privacy, only a policy promise.

What "Encrypted" Actually Means (And Doesn't)

Cloud providers use two types of encryption that sound reassuring but do not protect your privacy:

Encryption in Transit (TLS)

Your file is encrypted while traveling between your computer and the server. This prevents a third party from intercepting the file during upload. But the moment it arrives at the server, it is decrypted and the provider can read it.

Encryption at Rest

The file is encrypted on the server's disk. This protects against physical theft of the server's hard drives. But the provider holds the decryption key, so their own systems can access the plaintext whenever needed.

Neither of these protections prevents the storage provider from accessing your data. They protect the provider's infrastructure — not your privacy.

What Zero-Knowledge Encryption Changes

Zero-knowledge encryption flips the model entirely. Instead of the server encrypting your files with its own keys, your browser encrypts the file before it ever leaves your device. The server receives only encrypted data and never possesses the decryption key.

Here is what happens in a zero-knowledge file sharing system:

Step 1: You select a file in your browser.
Step 2: Your browser generates a random AES-256-GCM encryption key.
Step 3: The file is encrypted entirely in the browser using that key.
Step 4: The encrypted blob is uploaded to the server. The key is not sent.
Step 5: The key is embedded in the URL fragment (the part after #), which browsers never send to servers.
Step 6: You share the URL with your recipient. They open it, and the browser decrypts the file locally.

Why the URL fragment matters: Everything after the # character in a URL is processed only by the browser. It is never included in HTTP requests to the server. This is defined in RFC 3986 and is a fundamental rule of how URLs work. By placing the decryption key in the fragment, the server physically cannot learn it.

Comparing the Two Approaches

Feature	Traditional Cloud Sharing	Zero-Knowledge Sharing
Who holds the encryption key?	The cloud provider	Only sender and recipient
Can the server read your file?	Yes	No
Can employees access your data?	Yes, with privileges	No — technically impossible
Government subpoena risk	Provider hands over decrypted files	Provider can only hand over encrypted blobs
Content scanning	Files scanned for content	No scanning possible
Breach impact	Attackers get readable files	Attackers get encrypted data they cannot use

Practical Scenarios

Sending Tax Documents to Your Accountant

Tax returns contain Social Security numbers, income details and bank account information. Uploading them to Google Drive means Google's systems can access that information. With zero-knowledge sharing, you send a link that expires in 24 hours. Your accountant downloads the file once. The encrypted data is automatically deleted after the TTL expires. Nobody else — including the server operator — ever sees the contents.

Sharing Medical Records

HIPAA in the United States and GDPR in Europe impose strict requirements on how medical data is handled. Sharing an MRI report through Dropbox means Dropbox becomes a data processor with access to protected health information. Zero-knowledge file sharing eliminates this problem because the server never processes (or even sees) the unencrypted data.

Transferring Legal Contracts

Law firms handle confidential client information daily. Sending a merger agreement through email or a cloud link exposes it to multiple intermediaries. A zero-knowledge link with a 15-minute TTL and single-use download ensures the document can only be retrieved once and then disappears permanently.

What to Look for in a Secure File Sharing Tool

Not all tools that claim to be "encrypted" are truly zero-knowledge. Here are the key criteria:

Client-side encryption. The encryption must happen in your browser or app, not on the server. If the server encrypts the file, the server has the key.
No key transmission. The decryption key should never be sent to the server in any form — not in the URL path, not in a cookie, not in a header.
Time-limited links. Files should not live on the server forever. Configurable TTL (time to live) reduces the window of exposure.
Single-use downloads. For maximum security, the file should be deleted from the server after the first download.
Open architecture. The encryption method should be documented and auditable. AES-256-GCM is the industry standard for authenticated encryption.

Red flag: If a service says it offers "end-to-end encryption" but requires the recipient to create an account and log in to download, the service likely has access to the decryption key somewhere in the process. True zero-knowledge sharing should allow the recipient to decrypt without any account.

The SecureSend Approach

SecureSend, built into UnveilPass, implements this zero-knowledge model. Files are encrypted with AES-256-GCM directly in the browser. The decryption key is placed in the URL fragment. The server stores only the encrypted blob and cannot read it. Recipients do not need an account — they simply open the link and the browser handles decryption.

Additional features include configurable TTL (from 15 minutes to 7 days), single-use download option, multi-file support with automatic ZIP compression and an optional encrypted message for the recipient. A download counter lets the sender verify how many times the link was accessed.

The Bottom Line

Trusting a cloud provider with your sensitive files means trusting their employees, their security practices, their compliance with government requests and their resistance to breaches. Zero-knowledge encryption removes that trust requirement entirely. The server becomes a dumb storage box that holds data it cannot understand.

For anything genuinely sensitive — financial documents, medical records, legal files, identity documents — zero-knowledge file sharing is not a luxury. It is the minimum standard.

Try SecureSend — Free Encrypted File Sharing

Send files with end-to-end encryption. The server never sees your data. No account required to receive.

Get Started Free