ZeroTrust Drive

Encrypt on your machine. Store encrypted gibberish on any cloud. No provider can read your files — not even if a court orders them to.

The Problem with "Privacy" Providers

Services like Proton Drive, Tresorit, or Cryptomator Hub promise end-to-end encryption — but they control the client software you use. A court order, a national security letter, or a compromised update can silently deliver a rigged client that leaks your keys. You are trusting their infrastructure, their employees, and their jurisdiction.

With ZeroTrust Drive, you don't have to trust anyone.

Encryption happens entirely on your computer using open-source code you can audit. Your cloud provider only ever sees opaque, numbered .age files — no filenames, no directory structure, no content. They cannot decrypt your data because they never had the key.

How It Works

  1. Point --encrypted-dir at any cloud sync folder (Google Drive, OneDrive, Dropbox, Yandex Disk)
  2. ZeroTrust Drive mounts a FUSE filesystem at ~/z.drive — you work with normal files
  3. Every file is encrypted with ChaCha20-Poly1305 before it ever touches disk
  4. Your cloud provider syncs only ciphertext: 000001.age, 000002.age, …
  5. Unmount and your decrypted directory is empty — only encrypted storage remains

Features

ChaCha20-Poly1305

256-bit AEAD cipher (RFC 8439). Same encryption used by WireGuard, TLS 1.3, SSH, and Android disk encryption. Provides both confidentiality and integrity — tampered files are detected automatically.

Any Cloud Provider

Works with Google Drive, Microsoft OneDrive, Dropbox, Yandex Disk, or any folder-syncing service. Your provider only sees numbered ciphertext files. Zero vendor lock-in.

Transparent FUSE Mount

Works like a normal directory. Open files in any application — text editors, IDEs, image viewers. No special software needed beyond the mount.

Crash-Safe Passphrase Rotation

Change your encryption passphrase without risking data loss. Two-phase atomic rekey with manifest tracking — survives crashes, power loss, or Ctrl+C at any point.

Cloud Sync Conflict Detection

Detects when the encrypted index is modified externally (e.g. by cloud sync while mounted) and warns before overwriting. No silent data loss.

Open Source (AGPL-3.0)

Full source code available. Audit the encryption yourself. No hidden backdoors, no telemetry, no accounts, no subscriptions. You own your security.

Cost Comparison

What you actually pay for private cloud storage
ZeroTrust Drive Proton Drive Tresorit
Software cost Free, forever from $4/month from $11/month
Storage Your existing cloud
Google Drive 15 GB free,
100 GB for $2/month 		1 GB free, plans from 200 GB plans from 1 TB
Encryption Client-side, on your machine Client-side Client-side
Provider can read files Impossible — provider never has the key or the client Possible via rigged client update Possible via rigged client update
Court order risk No entity to compel Swiss jurisdiction, which is meanwhile — in terms of privacy — even weaker than the EU Swiss jurisdiction, which is meanwhile — in terms of privacy — even weaker than the EU
Open source AGPL-3.0 Partial Proprietary
Vendor lock-in None — use any cloud Proton ecosystem Tresorit ecosystem

Technical Details

Cipher ChaCha20-Poly1305 (RFC 8439), 256-bit, military-grade
Filename limit 255 bytes (ext4, APFS, NTFS standard)
Max files 16+ million files
Language Rust, 2MB binary, without the Java bloat
Filesystem FUSE
License AGPL-3.0-only

Supported Platforms

Linux

Native FUSE support.
Install libfuse-dev and download the binary.

macOS

Requires macFUSE.
Apple Silicon (aarch64) binary available.

Windows

Not yet supported.
Would require WinFSP integration.

Download from GitHub Releases