Skip to content

Answers/The problem queries

How to keep files private from the cloud sync client that watches your whole disk

The desktop cloud clients — Dropbox, iCloud, OneDrive, Google Drive for desktop — need broad filesystem access to do their job. Even with the folder outside the sync directory, a modern sync client can index, cache, or preview files depending on OS permissions. The reliable answer is to keep sensitive files in a form the client cannot meaningfully read: encrypted at rest, opened only when needed.

What the sync client can actually see

On macOS, Dropbox and OneDrive have Full Disk Access by default after install. On Windows, OneDrive is part of the OS. Whether a specific client indexes files outside its sync folder varies, but the capability is there and quiet changes to defaults are common.

The clean answer

Keep the folder encrypted at rest. When sealed, the sync client sees one opaque bundle; when unsealed, work in it briefly and re-seal. This is not paranoia — it is a small habit that removes the client's read capability entirely.

Elba does this in one HTML file: AES-256-GCM, browser-based, no network. The sealed bundle can even sit inside your cloud folder — the cloud stores your island; it cannot set foot on it.

Questions people actually ask

Can't I just uninstall Dropbox?
You can, but many people need it for work. Encrypting a folder lets you keep the sync client and keep some files private.
Does the client see the passphrase when I open the vault?
No — the passphrase never leaves the browser tab and the derived key is never written to disk.

Take the island

Elba is one HTML file. It runs locally in a Chromium browser, seals a folder with AES-256-GCM, never phones home, and becomes open source on 1 January 2030.

  1. €49MMXXVI· now ·
  2. €39MMXXVII2027
  3. €29MMXXVIII2028
  4. €19MMXXIX2029
  5. FreeMMXXX2030

the price falls each year · free to all 1 jan 2030

pay once · no account · nothing leaves

Related answers