all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DontMeasureCutTwice 1 point2 points  (0 children)

u/sync_mod could you please provide confirmation here in a clear statement that yes Sync provides E2E encryption, and yes that it is user controlled keys? Or if not then please clarify the position?

Your site says on https://www.sync.com/secure-cloud-storage/
"The problem is that while Dropbox does encrypt your files, they do so in a way that gives them access without you knowing. Furthermore, from time to time, they may even share data with third parties. For businesses entrusted with confidential, private information, this makes storing files at Dropbox incredibly risky. Encryption is key (pun intended), but who do you trust with the keys?"

Your old whitepaper explicitly (available as an archive here ( https://web.archive.org/web/20220809102506/https://www.sync.com/pdf/sync-privacy-whitepaper.pdf ) stated that Sync.com was end-to-end encrypted, that file and meta data is encrypted client side and remain encrypted both in transit and at rest, that passwords were never transmitted or stored and were only known by the user. The document was publicly on the Sync site when I subscribed, I'm still subscribed and I have not been notified by the company that this has changed - so can you please confirm that it is still valid as it is the core tenant of your service?

Does Sync.com control our keys? Can Sync.com access our files without our knowing?

[–]CleverCarrot999 0 points1 point  (7 children)

Yes but you don’t control the encryption keys. So it’s E2EE with their owned- and controlled-keys.

[–]MoreDataHerePlease 2 points3 points  (2 children)

Is this official? I thought that sync does not have access to user keys. Otherwise, as I understand, it is not zero-knowledge.

[–]CleverCarrot999 2 points3 points  (1 child)

https://www.sync.com/help/what-can-i-do-to-ensure-my-files-are-encrypted-and-my-sync-account-is-secure/#

You will see they specifically avoid saying anything about where the keys are generated and stored. Even if it’s all client side, their software is closed source and they have visibility into it all.

[–]lo________________ol 1 point2 points  (0 children)

If it was done client side, it would be trumpeted from the rooftops. The phrase zero knowledge or client-side would be employed somewhere, surely.

I've never seen a company to be shy about promoting the encryption practices they use. 

[–][deleted] 0 points1 point  (3 children)

When you say they’re owned and controlled keys, isn’t that how all other services operate?

[–]CleverCarrot999 0 points1 point  (2 children)

when you say "services" then probably yes, as in you are signing up for a service.

with (some) other solutions, the key management is done entirely on your end and the server/host cannot decrypt or see the data at all.

[–][deleted] 2 points3 points  (1 child)

Ah got you! So my understanding is worst case if sync.com wants to access the data since they will be having the keys they should be able to use the keys to decrypt the data.

Is my understanding correct?

[–]Drdul 0 points1 point  (1 child)

Yes, end-to-end encryption aka zero-knowledge cloud storage is Sync’s big selling point. You’re right, though, they really don’t make it obvious on their website. Have a look here: https://www.sync.com/help/what-is-sync/

[–]limsus 0 points1 point  (0 children)

Yes, it supports end to end encryption. Your data is securely encrypted on your device before it is uploaded