This article documents ProtonDrive’s security model by showing how it uses end-to-end encryption to protect your sensitive data. While somewhat technical, this document is meant to be accessible to a general audience and attempts to explain how ProtonDrive works in plain language.
ProtonDrive is in the final stages of development before our beta launch later this year.
Overview
ProtonDrive is the newest addition to the Proton encrypted ecosystem. It offers secure online storage space for our users’ photos, documents, and other files with the same focus on privacy and security as the other Proton products.
ProtonDrive’s design is based on end-to-end encryption. This model prevents any attacker who gains access to one of our servers from:
- viewing the file structure in the users’ personal storage space
- viewing or changing the contents of their files
- viewing or changing the file names
- adding new files and attributing them to the user
With this in mind, our goal is to ensure that the presence of encryption does not hinder the user in any way from seamlessly:
- uploading, downloading, and previewing files
- organizing their ProtonDrive content into folder hierarchies
- moving, renaming, and deleting files and folders
Data model
All content in ProtonDrive lives inside a volume, an allotted amount of storage space, with each user having their own private volume. In the future, ProtonDrive will allow administrators to create a volume for their organization and to offer access to members of the organization.
Each file and folder in ProtonDrive is described by two entities:
- a node — this keeps track of the entry’s metadata (for example, type, size, creation, and modification time) and its attributes
- a link — this identifies the entry’s position in the folder tree. The link indicates the entry’s location by referencing the parent entry and by storing the name of the entry.
This model, similar to the Portable Operating System Interface (POSIX) file system model, facilitates communication and synchronization between ProtonDrive and the file systems on your device and will support the app on desktop and notebook in the future. In the case of files, the associated node also references the file content, which is split into multiple blocks, each with a maximum size of 4 MB.
Access
Accessing a volume is always done using a piece of information known as a share. A share can be seen as a kind of access card that provides a user with certain permissions and access to a specific part of the folder tree. A share, thus, has three functions:
- It references a link in the tree
- It limits the operations that can be performed on the content (ex: read-only, write-only, etc.)
- It carries the cryptographic material required to start the decryption process of the content
Each volume has a default share, corresponding to the root of its folder tree without any permission restriction.
Multiple users can be members of a share, and each membership can have its own permissions (admin, read, or write). This enables sharing content between Proton users or between members of an organization. A different method for sharing content with people without a Proton account is described in a later section.
Main encryption model
In this section, we describe the way content is encrypted in ProtonDrive. While there are many similarities with the ProtonCalendar encryption model, the difference lies in ProtonDrive’s hierarchical content structure, in which folder trees can have different depths. This means the decryption steps are repeated at each level of the tree.
All keys and passphrases are generated on the client’s side and only transmitted to the server in encrypted form. Similarly, file and folder names, as well as file contents, are only sent to the server in encrypted form, making it impossible even for Proton to decrypt any of these entities.
Accessing shares
Proton users with multiple ProtonMail email addresses can have multiple email addresses associated with their ProtonDrive account. Each address has an associated key that allows the account owner to access a share when they become a member.
When the share is created, the encryption system generates a 32-byte random share passphrase, along with an asymmetric key (the share key). The share key is locked using the share passphrase, which is encrypted and signed with the user’s address key.
In the case of multiple share members, the share passphrase is encrypted with each member’s address key.
Payload encryption
The PGP encryption method allows using multiple asymmetric keys or passwords to encrypt a payload. PGP begins the encryption process by generating a new symmetric session key, which is a random passphrase of sufficient length. The session key is used to encrypt the payload, producing the data packet.
The next step is to encrypt the session key, in turn, with each asymmetric key and each password provided by the user, resulting in multiple key packets. Each asymmetric key or password can decrypt its corresponding key packet and use the session key within to then decrypt the data packet. (See figure 5)
Allowing a new key (i.e., a new user) to decrypt the payload is a simple operation that doesn’t alter the data packet — only the session key needs to be encrypted again with the new key, producing a new key packet.
Files and folders are arranged in a tree structure. Therefore, there is a recurring pattern where a file or folder’s asymmetric key is locked with a passphrase, which in turn is encrypted with the asymmetric key of their parent folder. All passphrases are signed with the address key of the user, without which a malicious server could forge the contents of the tree.
Node encryption
For each node in the tree, whether a file or a folder, an asymmetric key and passphrase are also generated — the node key and passphrase. The node passphrase is encrypted with the parent folder’s node key (if the current node is not a volume root) or with a share key, if the current node represents a share root.
The file or folder name is also encrypted with the parent folder’s node key. As mentioned earlier, files are stored in blocks, where each block is at most 4 MB in size and is encrypted with the file’s node key. The blocks’ content hashes that mask the original content through encryption are linked in succession and the resulting string is signed with the address key of the uploader. This mechanism protects against a malicious or compromised server forging the contents of files.
The explanation so far covers the main points of the security model: encrypting and verifying stored content and sharing content between Proton users.
Sharing by URL
Our users may wish to share a file located in a ProtonDrive volume with someone who doesn’t have a Proton account. This can be done in a read-only manner through a mechanism that prevents Proton from accessing the shared content.
The method we developed is based on the web client generating secure URLs, which allow access to the contents of specific files. The URLs are password-protected, and having both the URL and the password gives access to the shared content. While the Proton server will know the URL, it will never receive the password.
When creating a new shareable URL for a file, the web client will first confirm that a share directing to the file exists. The passphrase of this share must then be encrypted with the new password associated with the URL. This new password is either randomly generated by the ProtonDrive client, or is specified by the user.
In the case of randomly generated passwords, the user can choose whether they want to include it at the end of the URL, equivalent to sharing the content publicly. This section of the URL isn’t shared with Proton servers, making the password and the content inaccessible to Proton. Alternatively, the user can choose to share the password separately.
In the case of user-defined passwords, this option isn’t available and the password must always be communicated separately.
As a final step, the client makes a request to the server to create a new shareable URL, providing the new encrypted key packet of the share passphrase. The server stores the encrypted key packet and returns to the client a unique random URL for accessing the shared content.
When the URL is accessed, the server will return the encrypted payload needed to access the shared content. Only by knowing the URL password can the payload be decrypted and the shared file be accessed.
This is a simplified description which captures the central principle of the design. The actual implementation includes mechanisms to prevent the repeated abusive access of the URLs. It also offers the ability to set an expiration time for the URLs or to limit the number of times the URLs can be accessed.
Conclusion
In this article we described the security model of ProtonDrive, which is designed to protect users’ data from malicious actors while offering the same ease of use as a non-end-to-end encrypted cloud storage service. As always, comments and suggestions are welcome, and security researchers can reach us at security@protonmail.com with comments or questions.
Best Regards,
The Proton Team
This post was authored by ProtonDrive technical lead Radu Popescu.
Interested in building products like this? Join us.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.
64 comments on “The ProtonDrive security model”
This looks amazing. Thanks a lot for your work.
The dominance of non-encrypted services such as Zoom or Google apps in companies is alarming. We, as employees, have no choice but to accept that our ID, salary, address, photo, contracts, phone number, bank account, insurance data, etc. is stored on GDrive. Google is even now starting to store health data. Given how Google puts facial recognition & text analysis & data mining on every bit it sees, this is not reassuring.
I sincerely hope more people, politics and more companies will understand the urgency to switch to privacy respectful solutions, be it for their privacy, their employees’ privacy or for national independence & security.
Can’t wait to try ProtonDrive
Hi,
Thanks for the support!
In reviewing the Proton Drive Security Model, it appears to be identical to another product which is already commercially available, Sync.com. What makes Proton Drive different? How will you differentiate yourself in the marketplace from products like Sync.com which are already commercially available?
Hi Dean,
Thanks for the comment. Our high security standards are an integral part of what makes Proton stand apart, but they are not the single factor. Defending everyone’s right to privacy and freedom of speech is at the core of our mission and the idea behind all our products. That’s why we are active in several areas related to human rights and it is also one of the reasons why we are based in Switzerland. To understand why Proton chose Switzerland and how this protects you, please read this article.
Thanks.
Very nice, can’t wait for this to release!
We’re also very excited, Edi! Thanks for the support!
When will this feature launch?
Hi,
ProtonDrive will be released later this year.
Thanks!
Will there be an iOS/iPadOS app which will allow photo backup?
Hi,
We will continue releasing more details about ProtonDrive in the weeks and months to come. Please continue checking our website. Thanks!
Will ProtonDrive be made available as an included feature for those who are already supporting your development efforts with a paid account? Or will you be charging paying subscribers for this as a separate feature?
Hi!
Please continue checking our website for more details on Proton plans. Thanks
Thanks for all the hard work! I’m excited to use ProtonDrive once it’s released.
Thanks, Mica!
wuuush thats the sound of all that technical details flying over my head but I am looking forward to try it!
Thanks, Brian!
It’s all very clever and detailed, but one needs a computer analysts qualification to understand it! That’s the problem with Proton Mail nothing is ever made easy to help the regular guy use the many different parts of the system. Yes you understand what your doing but you forget about the user…………..your customer!
Thanks for the explanation. I can’t wait to use ProtonDrive.
All of this was a bit complex and thus I might be wrong, but I fear I have spotted a mistake: in the node encryption diagram (second from the end) there are two “Parent node key” labels. I believe the second one should be “Node passphrase” instead.
Thanks!
Good catch! We’ve fixed it. Thanks!
Looks interesting, but I am afraid that not Google or Amazon the competitors. Because the most users don’t know Proton and the users who know Proton know also the secure Cloud services.
I think the competitors of ProtonDrive will be MEGA and Tresorit. (Sync.com not, if the US Congress accept the EARN ACT)
I am excited to read more informations about ProtonDrive to decide between this three cloud services.
Currently I use Tresorit.
Hey, really exited to try proton drive !
Thanks for your works.
Finally!
Can’t wait for release.
Thanks! Can’t wait to use proton drive!
I might be wrong (the explanaition of the security model is rather complex), but I believe that the second “Parent Node Key” label in the “Node encryption” diagram should be “Parent Passphrase” instead. I believe so because in the “Accessing shares” paragraphes it is shown that an address signs a passphrase wich unlocks a key, which seems the same thing happening in the top of the “Node encryption” diagram.
(I already wrote this about 1 week ago, but I see it was not published. I am trying again because I am suspecting that something went wrong on my side, maybe due to cookies disabled. Sorry for double posting if I am wrong.)
Really appreciate all the work you’re doing. So happy to support Proton. Rooting for you all!
Sync.com is based in Canada which is a “five eyes” nation which makes privacy less than optimal.
Where will the data be stored? In the USA?
For citizens of the EU that’s forbidden.
Hi Ric,
There won’t be any Proton servers in the USA. From a privacy protection standpoint, the legal framework there is not strong enough to justify this. We will offer all ProtonDrive users the option of using servers in Switzerland, but we will likely also offer servers in another country as well, potentially Germany.
Excellent soon as the beta goes live please let me know
uncontrollably excited!
If the Proton drive will be something like the MEGA.nl cloud service where I can back up my stuff and there is an MAC app available that monitors one or more folders on the mac, syncing them with the Proton drive, I’ll be happy to switch service from New Zealand to Protonmail!
When will this feature be available?
Hi Geoffrey! ProtonDrive is entering early access for some paid users and will be available to more groups of paid users in the coming months.
Are there plans to create apps for NAS devices or otherwise allow somewhat easy backups of NAS data to ProtonDrive? I recently got a NAS and am looking into cloud backups. I’m not satisfied with the security of the current options available, but I would be totally comfortable committing my personal data to ProtonDrive if that were an option. Thank you for all your do!
Looking forward to seeing this go live. Not sure sending key in the url is better than making the file public.trygve
Privacy & security are increasingly important in today’s environment. Thank you all for the effort you are putting into providing safe storage & communications for private citizens & corporations.
I’m very much looking forward to ProtonDrive; moreover, I am looking forward to ProtonDrive for Organizations. It will definitely be of great use. Thank-you for the work everyone at Proton performs. Stay safe everyone.
A QNAP Cloud Sync option would be a sweet addition.
Really looking forward to the launch. Hope it’s sooooooooon!!!
as a protonmail user will I be automatically notified when the ProtonDrive is ready?
Hi Don,
Yes, as a ProtonMail user, you should have received an email notifying you of the ProtonDrive beta.
I need this now. I’m going to be moving my email from google to protonmail very soon (I already have a paid account, I just need to make the transition.) I also use Google Drive, I would love for you to let me abandon Google Services altogether. Thank you.
Is there a launch date for Proton Drive yet? I will definitely sign up for this.
Hi MaryAnne,
We are happy to announce we recently released the ProtonDrive beta. Given the development work that needs to be done, we cannot give a firm date of when ProtonDrive will be publicly released. You can keep up with the latest ProtonDrive developments by following our blog and social media channels.
Cheers
i’m paid member. notify me once released.
Hello
Possibly to create a IOS app so we can upload our photos and files direct to ProtonDrive?
Thanks
Hello Xhej,
We are currently working on an iOS app for ProtonDrive. Stay tuned to this blog and our social media channels for updates.
Cheers
Looking forward to it.
I had in the last year or two migrated to :
1. From DropBox to pCloud but still within their free / usage tier.
2. Gmail to HEY
3. Express VPN
4. Calendar still with Google unfortunately
I still have my main email with HEY but would be reviewing and migrating to Proton when my HEY subscripton ends next year as culmination of everything and that would be great.
We’re glad you’re taking steps to take back control of your personal data Shas. We look forward to welcoming you aboard!
Can’t wait!!! I’m already way more excited than I should be!!!
You guys are awesome!
Fantastic!
I cant wait either. What would the storage options look like in terms of size upon final release?
Hi Rudi,
Storage is currently being shared between your ProtonMail inbox and your ProtonDrive account. We plan on increasing the amount of storage accounts receive in the future.
This is excellent timing. I was just looking into the latest options for backing up files.
I’m a paid user. How much room do we have while in the testing phase for the drive?
Your storage that comes with your ProtonMail inbox will be shared with ProtonDrive during the the beta testing phase.
I am anxious to try the new ProtonDrive. My faith and trust in your organization continues to grow. Well done!!
Thanks Joel!
When is this ready?
ProtonDrive beta has already been released!
Will users be able to share folders and/or files with persons without a Proton account?
Hello Welshy,
Yes, the ability to share folders and files with anyone, including non-Proton users, is one of the features our development team is currently working on.
Is Proton Drive HIPAA compliant?
Hi Paul,
Since ProtonDrive is end-to-end encrypted and protects data in transit and at rest, yes, it will be HIPAA compliant once it is complete. You can read more about ProtonMail’s HIPAA compliance here: https://protonmail.com/blog/hipaa-compliant-email/.
Cheers
Any update on ProtonDrive?
This might interest you: https://protonmail.com/blog/proton-drive-early-access/