Analysis of Drime Cloud's E2EE and Zero-Knowledge Claims
Original Report: October 2025 | Updated: November 2025
Status Update: This report has been updated with significant new findings regarding the underlying software architecture ("BeDrive") and proof of artificial data inflation. See
"Part 2" below.
This page isn't made to shame Drime, but to ensure users understand what they're actually getting.
Drime lies about contacting me
Drime's founder has publicly stated on Reddit that they "reached out to me multiple times" and sent a "detailed response document" but that I "never replied".
This is a fabrication.
- The Timeline: My email address (sylphie@tuta.io) was only added to this report in the "Part 2" update (November 2025). Prior to this update, this report was anonymous and listed no contact information whatsoever(verifiable by Github history).
- The Impossibility: It is physically impossible for Drime to have emailed me "multiple times" before November because the contact method did not exist. Unless Drime has found a way to send emails to the future, their claim is a lie designed to discredit this research.
- The "Document": If Drime actually possesses a "detailed response document" that refutes these technical findings, they are free to publish it publicly. Hiding it behind a claim of "unanswered emails" suggests the document does not exist.
Message to Drime
You said: "Only metadata is not E2EE for technical reasons."
Translation: "The $29 script we bought (BeDrive) wasn't built to encrypt filenames, and we don't know how to rewrite the core database logic to fix it."
The claim that 'File contents are fully E2EE and cannot be read server-side' contradicts the API evidence:
- The IV: The API returns an exposed
iv (Initialization Vector) field in the database row. In true Client-Side E2EE, the IV is bundled into the encrypted blob and managed by the client. An exposed database IV is the hallmark of Server-Side Encryption (standard Laravel/PHP encryption).
- Keys: If the server is generating/storing the IV and validating the password hash (
check field), the server is an active participant in the cryptography. This means the server holds the keys.
- Meaning?: While you can theoretically have E2EE with plaintext metadata, you are conflating 'End-to-End Encryption' with 'Encryption at Rest.' If the server holds the keys (which the BeDrive architecture does), it is Encryption at Rest, not E2EE.
If the server stores the salt, the password check, and the per-file IVs and can validate whether the vault password is correct, then the server can derive the encryption key and decrypt the files. That means the system is not end-to-end encrypted, even if the metadata or file contents are encrypted.
Drime founder doesn't seem to know the difference between E2EE and Encryption at Rest.
Please explain why the database stores a separate IV if the encryption is truly happening entirely on the client device.
If you would like to discuss these findings, please email me or open a GitHub issue in the repository.
Summary
This document examines the encryption claims made by Drime Cloud regarding their "Vault" feature. Through API analysis, I found significant discrepancies between their marketing statements and the actual implementation.
Drime Cloud advertises their Vault as having "zero-knowledge" and "end-to-end encryption," stating that "Only you can see your files. Not us, not anyone else." However, API responses show that all file and folder metadata is transmitted in plaintext to their servers.
Background
Drime Cloud is a file storage service based in the European Union. Their Vault feature is marketed as a secure, encrypted storage solution for sensitive files. The service claims to implement zero-knowledge encryption, which typically means that the service provider cannot access any user data, including metadata.
Marketing Claims
The following statements appear on Drime's official website at drime.cloud/vault:
"Drime end-to-end encrypted (E2EE) Vault provide the most secure way to store your most sensitive files in the cloud."
"Zero-knowledge: Only you can see your files. Not us, not anyone else. We don't store passwords, and we can't access your data."
"Your files are encrypted on your device and never leave it unprotected. Only you can access them, not even Drime."
Figure 1: Drime's "Zero-knowledge" marketing claim (Source: drime.cloud/vault)
Note: They have since changed "Zero-knowledge" to "Secure Vault" on their website. The original page is archived at:
web.archive.org
Drime hasn't sent any notification of this change to their users and silently removed the "Zero-knowledge" claim from their website.
Technical Analysis
When accessing the Vault feature, the client makes an API request to:
https://app.drime.cloud/api/v1/vault/file-entries
The response contains the following data structure:
{
"id": 26833,
"name": "My Confidential Tax Documents",
"description": null,
"file_name": "2024_tax_return.pdf",
"mime": "application/pdf",
"file_size": 2547891,
"type": "folder",
"extension": "pdf",
"created_at": "2025-10-03T19:45:30.000000Z",
"updated_at": "2025-10-05T16:38:35.000000Z",
"path": "26833",
"vault_id": 440,
"is_encrypted": 1
}
Exposed Metadata
The API response reveals the following information in plaintext:
- Complete file and folder names
- File descriptions
- MIME types and file extensions
- Exact file sizes in bytes
- Complete directory structure
- Creation and modification timestamps
- Access patterns
The response includes an "is_encrypted" flag set to 1, which appears to indicate that file contents are encrypted, but not the metadata.
Figure 2: API response showing unencrypted metadata in browser DevTools
Comparison with Industry Standards
True zero-knowledge encryption implementations encrypt metadata on the client side before transmission. For comparison, pCloud's Crypto Folder service returns encrypted filenames:
{
"name": "CM4LSAOHWDTXNPEJF2XZA67KOPDJ5XOJWACR3JVTT4KK3DRQBAE5RHIY4Z4IUKSDO4AM4ZODDSH7S",
"encrypted": true,
"contenttype": "application/octet-stream"
}
Other services implementing true zero-knowledge encryption include:
- Proton Drive - Uses PGP-based encryption for all metadata
- Tresorit - Client-side encryption of filenames and folder structure
Figure 3: pCloud Crypto folder showing encrypted filename vs Drime's plaintext
Privacy Implications
The exposure of metadata has significant privacy implications:
| Information Type |
Visible to Drime |
Privacy Risk |
| File names |
Yes |
Reveals document subject matter |
| Folder structure |
Yes |
Shows organization and categories |
| File types |
Yes |
Indicates content nature (medical, financial, etc.) |
| Access times |
Yes |
Behavioral patterns and frequency |
| File sizes |
Yes |
Can infer content complexity |
This metadata can be:
- Accessed by Drime employees
- Subpoenaed by law enforcement
- Exposed in the event of a data breach
- Used for internal analytics or profiling
Additional Security Concern
The vault_id field uses sequential integers (440, 441, 442, etc.). This implementation allows any user to determine the total number of vaults created system-wide by creating and deleting vaults and observing the increment. This is a minor information disclosure that violates common security practices. Standard implementations use UUIDs or random identifiers to prevent enumeration.
Figure 4: Sequential vault_id allowing enumeration of total vaults
Reproduction Steps
The findings can be verified using the following process:
- Create a Drime account and enable the Vault feature
- Create folders with descriptive names (e.g., "Personal Medical Records")
- Upload files with recognizable filenames
- Open browser developer tools (F12) and navigate to the Network tab
- Access the Vault by entering the vault password
- Locate the API request to /api/v1/vault/file-entries
- Examine the JSON response body
All metadata will be visible in plaintext in the response.
Company Response
When these findings were initially reported, Drime's team responded with the following statement:
"Drime Vault is a new feature, and we've already addressed these concerns. The file content is fully end-to-end encrypted, it's encrypted on your device before being uploaded. Some providers use the term 'zero knowledge,' which usually means that even metadata is encrypted. We plan to bring this level as well once Vault is fully stable."
In a subsequent response, they stated:
"We do not claim 'zero knowledge', and we've already clarified this in past discussions when asked."
This statement contradicts their marketing page, which explicitly includes a section titled "Zero-knowledge" with claims about data access.
Figure 5: Drime's response claiming they "do not claim 'zero knowledge'"
Note on Censorship: After posting these findings on their subreddit, my account was permanently banned and the post was removed along with the Drime team's response. This occurred shortly after their response received several upvotes.
Legal and Regulatory Considerations
Drime Cloud operates in the European Union and markets services to EU citizens. The discrepancy between marketing claims and actual implementation may raise concerns under several regulatory frameworks:
- GDPR Article 5 requires accuracy and transparency in data processing claims
- The Unfair Commercial Practices Directive prohibits misleading advertising
- Consumer protection laws require truthful product representations
The use of terms like "zero-knowledge" and statements such as "Not us, not anyone else" while maintaining server-side visibility of metadata could be considered misleading to consumers making security decisions.
Recommendations
For Drime Cloud:
- Update marketing materials to accurately reflect what data is and is not encrypted
- Remove or clarify the "zero-knowledge" claims until metadata encryption is implemented
- Provide clear documentation about what information is visible to the service
- Implement UUID-based identifiers instead of sequential integers
- Provide a specific timeline for implementing metadata encryption
For users considering Drime Vault:
- Understand that file and folder names are visible to Drime's servers
- Assume metadata can be accessed by the company and legal authorities
- Consider whether the current level of encryption meets your threat model
- Evaluate alternative services if metadata privacy is critical
Conclusion (Part 1)
Drime Vault appears to implement encryption-at-rest for file contents, which provides some level of protection. However, the implementation does not meet the industry standard definition of "zero-knowledge" encryption, which requires that metadata also be encrypted client-side before transmission.
Part 2: Investigation Update (November 2025)
The "BeDrive" Connection
Following the initial report, further API analysis has identified that Drime Cloud appears to be running a white-labeled version of BeDrive, a generic PHP file-sharing script available on CodeCanyon for approximately $29. The API endpoints and backend structure match BeDrive's architecture by approximately 95-98%.
1. The "Military-Grade" Hash Analysis
The file identifiers used by Drime are not cryptographically secure hashes. The API returns a "hash" field that, when analyzed, reveals simple obfuscation rather than encryption.
API Response:
"hash": "MzQ0NDZ8cGFkZA"
Decoded (Base64):
34446|padd
This matches the exact PHP source code found in the BeDrive script, which manually pads the ID with the word "padding":
public function getHashAttribute(): string {
return trim(base64_encode(str_pad($this->getRawOriginal('id').'|', 10, 'padding')), '=');
}
This proves that the "secure hash" is merely the sequential database ID encoded in Base64. It is reversible and allows for enumeration of files.
2. Server-Side Encryption (Not Zero-Knowledge)
The API response for "encrypted" Vault files includes an Initialization Vector (IV) stored directly in the database row:
{
"is_encrypted": 1,
"iv": "TM49hT8aKz73V8iP"
}
In a true client-side Zero-Knowledge architecture, the server should receive a single encrypted blob and should not be managing the IV separately. The presence of this field indicates that Drime is using standard Server-Side Encryption (likely via the Laravel PHP framework). This implies that Drime holds the encryption keys on their server and can technically decrypt user files at will.
3. The "Vault" is a UI Gate
When accessing the Vault, the API returns a password verification hash to the client:
"check": "VqpUxQg3x4kJB2aKekAR6KQi15X476qvp1dtMQ=="
This suggests that the "Vault" protection is a UI-based restriction. The server verifies the password hash and then grants access. Since the server holds the encryption keys (as proven by point #2), a rogue admin can bypass this password check entirely to access the files.
4. Artificial Data Inflation
By analyzing the sequential database IDs exposed by the BeDrive architecture, we can estimate the actual size of the platform versus the implied size.
| Metric |
Observed ID |
Interpretation |
| Vault Files |
~34,446 |
The total number of files ever uploaded to the Vault system-wide is only ~34k. This indicates extremely low usage. |
| Regular Files |
~482,280,015 |
This number appears artificially inflated. Given the user ID count (~19k), this would imply 25,000 files per user, which is statistically improbable. |
Actual number of files ever uploaded is probably somewhere around ~2,280,015(without vault).
It appears the database auto-increment counter was manually set to a high number for regular files to create the appearance of scale, but the admins neglected to inflate the Vault file counter.
Final Conclusion
Drime is not a trustable or honest company. The Drime founder constantly twists and switches their definitions of E2EE to suit the situation. Their narrative regarding "Zero Knowledge" has shifted repeatedly when challenged:
- Marketing Claim: "Zero Knowledge... Only you can see your files. Not us, not anyone else."
- First Denial: "We never claimed 'Zero Knowledge'."
- Final Admission: "We did have a header saying we have 'Zero Knowledge' but we removed it."
Beyond these verbal inconsistencies, the technical architecture proves the deception. Drime is running a white-labeled instance of a $29 generic script (BeDrive). Because the server stores the salt, the password verification hash, and the per-file IVs, the system is fundamentally not End-to-End Encrypted.
Using Drime is like using Google Drive or Dropbox. The service provider holds the keys to your data and can access it at any time (e.g., internal snooping). The critical difference is that Google and Dropbox do not falsely advertise themselves as "Zero-Knowledge" privacy vaults, nor do they run on generic template scripts with artificial statistics.
If the server can validate that a password is correct (via the "check" hash) and holds the encryption IVs, the server possesses the ability to derive the keys and decrypt the files. This is standard Encryption-at-Rest masquerading as a military-grade privacy vault.
Verdict: Drime is not E2EE and users seeking genuine privacy or protection from server-side data breaches should avoid Drime Cloud entirely.
This analysis was conducted in October and updated November 2025. All evidence has been archived and is available for verification.
Contact: sylphie@tuta.io