← Back to Guides

Secure File Transfer Without Cloud Storage

File Security Guide 6 min read Updated December 2024

The Cloud Storage Problem

Dropbox, Google Drive, WeTransfer, and similar services are convenient—but they come with severe privacy trade-offs:

  • Files are stored indefinitely on third-party servers
  • Providers can decrypt and scan your files for content moderation and advertising
  • Government agencies can subpoena file contents without your knowledge
  • Data breaches expose millions of files to attackers
  • Employees with admin access can view your "private" files
  • AI systems train on your uploaded content

"If the cloud provider can see your files, they're not truly private. The solution is to never let them see plaintext in the first place."

Alternative File Sharing Methods

1. Client-Side Encrypted URL Fragments

How it works: Files are encrypted in your browser before transmission. The encrypted blob becomes part of the URL fragment (after the #). Recipients decrypt locally—servers never see plaintext.

Pros: True zero-knowledge. No server storage. Self-destruct after reading. Works for files up to ~10MB.

Cons: URL size limitations restrict file size. Links can be long and unwieldy.

✓ Best For:

Documents, images, configuration files, certificates, private keys, small binaries.

2. WebRTC Peer-to-Peer Transfer

How it works: Direct browser-to-browser file transfer. No intermediary servers (except for initial connection negotiation). End-to-end encrypted by default.

Pros: No file size limits. No server storage. Direct connection = fast transfers. Files never touch third-party infrastructure.

Cons: Both parties must be online simultaneously. NAT traversal can fail in restrictive networks. No offline access.

✓ Best For:

Large files (videos, backups, disk images). Real-time collaboration. Maximum privacy.

3. Self-Hosted Encrypted File Drops

How it works: Run your own file-sharing server (e.g., FileBin, Lufi, PrivateBin). Files are encrypted client-side before upload. Only you control the infrastructure.

Pros: Full control. No third-party access. Configurable retention policies. Can handle large files.

Cons: Requires technical setup. Server maintenance burden. You're responsible for uptime and security.

✓ Best For:

Organizations with compliance requirements. High-volume file sharing. Long-term control.

4. Encrypted Email Attachments

How it works: Encrypt files with GPG/PGP or AES before attaching to email. Send decryption key via separate channel.

Pros: Works with existing email infrastructure. No new tools required. Recipient can download offline.

Cons: Email size limits (usually 25MB). Metadata still visible (sender, recipient, timestamp). Requires technical knowledge.

⚠️ Limitations:

Email providers scan attachments. Even encrypted files trigger spam filters. Not suitable for large files.

5. Physical Media (USB, SD Cards)

How it works: Copy files to encrypted USB drives or SD cards. Hand-deliver or ship via trusted courier.

Pros: Air-gapped security. No internet exposure. Works for any file size. No digital traces.

Cons: Slow (days for delivery). Physical security risks (loss, theft, interdiction). Not scalable.

✓ Best For:

Extremely sensitive data (source code, trade secrets, classified documents). Nation-state threat models.

Step-by-Step: Client-Side File Encryption

This method provides the best balance of security and convenience for most users:

  1. 1.

    Choose Your File

    Select the file you want to share. Supported formats: documents (PDF, DOCX), images (PNG, JPG), archives (ZIP), certificates (PEM, CRT), binaries (up to 10MB).

  2. 2.

    Encrypt in Browser

    Upload to HexBurn. File is read locally and encrypted with AES-256-GCM using Web Crypto API. Original file never leaves your device unencrypted.

    File [original.pdf]
  → Read into memory (ArrayBuffer)
  → Generate random encryption key (256-bit)
  → Encrypt with AES-256-GCM
  → Encode to base64 URL-safe string
  → Embed in URL fragment
  3. 3.

    Add Password Protection (Optional but Recommended)

    Layer on additional password for defense-in-depth. Use strong passphrase or generated password.

  4. 4.

    Set Burn Conditions

    Configure self-destruct timer (30 seconds for sensitive files). Set max read count (usually 1). Enable decrypt attempt limits (3-5 tries).

  5. 5.

    Share via Split Channels

    Send link via email/Slack. Send password via phone call or separate messaging app. Never use the same channel for both.

  6. 6.

    Recipient Decrypts

    Recipient opens link, enters password, file is decrypted in their browser. They download the plaintext file. Original self-destructs after timer expires.

Security Comparison

Feature Cloud Storage Encrypted Cloud Client-Side
Server sees plaintext Yes No No
Provider has keys Yes Sometimes Never
Data breach exposure Complete Depends on key storage Ciphertext only
Subpoena risk Full access Encrypted data Already deleted
Employee snooping Possible Unlikely Impossible
AI content scanning Yes No No
Retention period Indefinite Configurable Auto-delete

❌ Common Mistakes

Trusting "zero-knowledge" claims without verification. Many services claim zero-knowledge but still have server-side keys. Check if encryption happens client-side and keys are derived from user passwords.
Using weak passwords for file encryption. If you encrypt with "password123", the file is trivially decryptable. Use strong, unique passphrases.
Sending files and passwords via the same channel. Split-channel delivery is essential. Never send both through email or the same messaging app.
Forgetting to delete local copies. After sharing, securely delete original files from your device (multi-pass wipe, not just recycle bin).
Not verifying recipient identity. Confirm you're sharing with the right person before sending decryption credentials. Phishing and social engineering are real threats.

Enterprise File Sharing Policies

Organizations should implement these policies for secure file sharing:

Classify Data: Public, Internal, Confidential, Restricted. Each classification has different sharing rules. Restricted data requires client-side encryption + multi-factor auth.

Approved Tools List: Maintain whitelist of vetted file-sharing tools. Ban unapproved cloud storage (Dropbox, personal Google Drive, WeTransfer).

Audit Logging: Log all file shares (who, what, when, with whom). Use receipt systems for accountability. Retain logs per compliance requirements (7 years for SOX).

DLP Integration: Deploy Data Loss Prevention (DLP) tools to prevent accidental leaks. Block uploads of files containing SSNs, credit cards, or PII to unauthorized platforms.

Training: Employees need to understand WHY cloud storage is risky and HOW to use secure alternatives. Run phishing simulations to test awareness.

Key Takeaways

  • Traditional cloud storage exposes files to providers, governments, and hackers
  • Client-side encryption ensures servers never see plaintext
  • WebRTC peer-to-peer transfers eliminate intermediary servers entirely
  • Self-destruct after delivery minimizes exposure window
  • Split-channel delivery (link + password separately) is essential
  • For maximum security, layer multiple protections: encryption, passwords, burn timers, access controls
Share Files Securely More Guides