Answers/The problem queries
How to keep files private from the cloud sync client that watches your whole disk
The desktop cloud clients — Dropbox, iCloud, OneDrive, Google Drive for desktop — need broad filesystem access to do their job. Even with the folder outside the sync directory, a modern sync client can index, cache, or preview files depending on OS permissions. The reliable answer is to keep sensitive files in a form the client cannot meaningfully read: encrypted at rest, opened only when needed.
What the sync client can actually see
On macOS, Dropbox and OneDrive have Full Disk Access by default after install. On Windows, OneDrive is part of the OS. Whether a specific client indexes files outside its sync folder varies, but the capability is there and quiet changes to defaults are common.
The clean answer
Keep the folder encrypted at rest. When sealed, the sync client sees one opaque bundle; when unsealed, work in it briefly and re-seal. This is not paranoia — it is a small habit that removes the client's read capability entirely.
Elba does this in one HTML file: AES-256-GCM, browser-based, no network. The sealed bundle can even sit inside your cloud folder — the cloud stores your island; it cannot set foot on it.
Questions people actually ask
- Can't I just uninstall Dropbox?
- You can, but many people need it for work. Encrypting a folder lets you keep the sync client and keep some files private.
- Does the client see the passphrase when I open the vault?
- No — the passphrase never leaves the browser tab and the derived key is never written to disk.
Take the island
Elba is one HTML file. It runs locally in a Chromium browser, seals a folder with AES-256-GCM, never phones home, and becomes open source on 1 January 2030.
- €49MMXXVI· now ·
- €39MMXXVII2027
- €29MMXXVIII2028
- €19MMXXIX2029
- FreeMMXXX2030
the price falls each year · free to all 1 jan 2030
pay once · no account · nothing leavesRelated answers
- How to store files in Google Drive so that Google can't read them
Google Drive holds files as plaintext on Google's servers. Client-side encryption makes what you upload unreadable — including to Google.
- Encrypt files *before* they reach Dropbox, iCloud, or OneDrive
The right moment to encrypt is on your machine, before the file ever sees a sync client. A minimal workflow, and where it breaks down.