September 30, 2013

A Guide to Cloud Storage Encryption

Written by
Why is TechnologyAdvice Free?

If your company is currently using cloud storage or backup, or is considering moving files into the cloud, then you need to be familiar with the different types of data encryption offered by storage providers. While encryption protocols can seem complex, we break down the details below in order to help you make an informed decision for your company. Making smart choices up front can help prevent potentially devastating data loss or data breaches in the future. In order to keep the article informative, yet easily digestible, we won’t get into the exact technology behind encryption, but rather offer an overview of the tech and offer implementation advice.

Location, Location, Location

One of the biggest reliefs when evaluating encryption offerings is the AES specification. For the vast majority of businesses and users, AES (Advanced Encryption Standard) meets every data security need. The standard was developed by two Belgian cryptographers, and is now the globally accepted way to encrypt data. The United States Government has even approved it for use with top-secret files.1

Aside from using AES (which you should), the next most important thing to decide is the location where your data is encrypted. There are three possible places where encryption can occur – client-side, in-transit, and at-rest – each of which we’ll outline below.


Client-side encryption refers to encrypting data on a user’s computer, before it is uploaded to the cloud. Most often, the data is encrypted using a digital key that the storage server doesn’t know. This means that once the files are uploaded to the server, the storage company has no way of seeing what’s inside them, or of decrypting them. This kind of security is often referred to “zero-knowledge” storage, since the company has no knowledge of what a user is backing up or storing.

Client-side encryption is by far the most secure option for companies with high-risk or highly-sensitive files (think healthcare companies with patient files, or law firms handling client documents). This security does come at a cost however, as many storage-providers who offer client-side encryption charge a premium. In addition, the encryption keys need to be handled with care. If your company suffers a data loss and you lose the encryption key, the storage-company will be unable to help you decrypt your files.


In-Transit encryption refers to the security of data when travelling from your computer to a company’s file server. In order to make sure you aren’t broadcasting your data to anyone on the same network during the uploading process, the server exchanges encryption keys with your computer, essentially creating a secure path (or tunnel) for your data to travel through.

Unless you have no concerns about your data’s privacy, you should also use a storage company that providers in-transit encryption. Although not nearly as robust as client-side (because the data is only encrypted during transit), this provides a minimum-level of security for non-sensitive information. Essentially, in-transit is the minimum amount of encryption that any company should settle for.


At-Rest encryption is a term used to indicate that the storage company keeps the data stored on their servers in an encrypted format. When combined with in-transit encryption, this should be secure enough for most companies that aren’t operating in highly-sensitive industries or handling classified files. Most storage providers that offer at-rest encryption use AES encryption, which we talked about above.

The only downside with trusting providers to encrypt your information, is the inherent uncertainty in allowing others to handle the keys to your data. Since they’re the ones encrypting the files, they also has the ability to decrypt them, so its wise to check over their policies regarding that in the user agreement. Further, if a government agency requests access to their servers, the company may not have a choice but to turn over the encryption key along with your data.

When choosing a cloud storage provider, companies should keep the above information in mind. If you’re files are high-value and extremely sensitive, you’ll want to make sure the company you’re working with offers client-side encryption, or allows you to upload already encrypted files to their servers. If your company isn’t involved with such information, but you still want to err on the cautious side, choose a provider that offers at-rest encryption to ensure that even if their servers are compromised or hacked, your data will remain safe. Finally, if you need a cheaper storage option and aren’t as worried about security, a provider that offers only in-transit encryption is a fine choice. We don’t recommend using any storage provider that doesn’t offer at least in-transit protection.


1. “U.S. Selects a New Encryption Technique” – The New York Times

Technology Advice is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities. Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don't pay us.