Security

How your files
are protected.

Every file is protected with authenticated AES-256-GCM encryption before it reaches object storage. A unique 256-bit key is generated for each file and secured through our isolated OpenBao key-management system. TLS 1.3 protects data in transit, while our hybrid-capable architecture is designed for future post-quantum key protection.

TLS 1.3 AES-256-GCM Unique Per-File Keys Encrypted Before Storage Isolated Key Management Post-Quantum Ready

What's protecting your files today

The plain-English version of each layer — with the technical detail for those who want it.

TLS 1.3 in transit

Everything moving between you and Folder Fort travels through an encrypted tunnel — browser uploads, downloads, previews, API traffic, and shared links. Nobody on the network in between can read it.

AES-256-GCM at rest

Before your files are sent to Backblaze or your connected S3 storage, they're sealed with AES-256-GCM — the same encryption class trusted for government and banking data.

A unique key for every file

Each file gets its own independently generated, random 256-bit encryption key. No shared master password over your data — one file's key opens exactly one file.

Tamper detection built in

Encryption is authenticated: every 8 MiB chunk carries its own nonce and authentication tag. If a stored chunk is ever corrupted or tampered with, it's detected — not silently accepted.

Isolated key management

File keys are wrapped by a non-exportable master key inside our OpenBao Transit key-management system. The master key never enters the application or the database — even a compromised app server couldn't walk away with it.

Ciphertext-only storage

Our storage providers only ever receive encrypted bytes. Backblaze stores ciphertext — scrambled data that's meaningless without the keys, which they never have.

Streaming encryption

Large uploads are encrypted on the fly, directly into multipart object-storage writes. The complete plaintext file is never assembled and left sitting anywhere along the way.

Business unlock key Optional

Business accounts can add an X25519 public-key wrap — an additional, independent way to unlock newly uploaded files, under your control.

Post-Quantum Ready — what that means

Quantum computers are expected to eventually break today's public-key cryptography. Our key system is designed so quantum-safe algorithms can be added without re-encrypting your files — your data is stored in a way that's ready for the next generation of standards.

Standardized ML-KEM support is planned and will be enabled as the ecosystem matures; browser connections currently use TLS 1.3, which every modern browser supports. This page will be updated as new protections roll out.

Questions about how your data is protected? Ask us — we're happy to get into the details.

Store it safely

Ready to move in?

Start free in under a minute. No credit card required.