For quick encrypted transfers between two machines, Magic Wormhole is the best option – it creates a direct encrypted connection with no cloud dependency. For encrypted cloud storage with CLI support, use Rclone with its crypt backend to layer zero-knowledge encryption on top of any provider. For team collaboration with audit trails, Tresorit or self-hosted Nextcloud with end-to-end encryption provide the most complete feature sets. Here is how each solution compares on API access, encryption architecture, and developer workflow integration.
What Developers Need from File Sharing Services
Developer-focused file sharing goes beyond simple drag-and-drop uploads. Your requirements include programmatic access through APIs, command-line interface support, audit trails for compliance, and granular access controls. The service should integrate into existing workflows without creating friction.
End-to-end encryption is the baseline expectation. This means the service provider cannot read your files—they simply store and transfer encrypted blobs. Some services offer zero-knowledge architecture where even the encryption keys never leave your control.
CLI-First Options for Developers
Magic Wormhole
Magic Wormhole provides a Python-based tool for secure file transfer between two machines using a shared passphrase. It establishes a direct encrypted connection and handles NAT traversal automatically:
# Install magic wormhole
pip install magic-wormhole
# Send a file (receiving side runs the wormhole command)
wormhole send document.zip
# Receive a file (sending side provides the wormhole code)
wormhole receive
The tool generates a short code phrase that the recipient enters to establish the connection. Files transfer directly between machines without intermediate storage, and the protocol uses SPAKE2 for key exchange. Magic Wormhole works well for one-off transfers but lacks persistent storage and team management features.
Rclone with Crypt
Rclone is a command-line program to manage files on cloud storage, and its crypt backend provides transparent encryption:
# Configure rclone with crypt
rclone config create my-crypt crypt \
password="your-encryption-password" \
password2="your-confirmation-password" \
remote="gdrive:/encrypted"
# Copy files (automatically encrypted)
rclone copy sensitive-data/ my-crypt:/backups
# List encrypted files (shows gibberish names)
rclone ls my-crypt:/
# Mount encrypted filesystem
rclone mount my-crypt:/ ~/encrypted-gdrive &
This approach encrypts files before they reach your cloud provider, giving you zero-knowledge privacy while maintaining cloud storage convenience. The tradeoff is that you lose cloud-native features like search and preview since files are encrypted client-side.
Syncthing
Syncthing provides continuous file synchronization between devices with end-to-end encryption. Unlike cloud-based services, your data never leaves your controlled infrastructure:
# Install syncthing on Linux
sudo apt install syncthing
# Start syncthing daemon
syncthing serve
# Configure via web UI at http://localhost:8384
# CLI interaction using syncthing-cli
syncthing-cli devices add <device-id>
syncthing-cli folders add /path/to/folder
Syncthing uses device IDs rather than accounts, eliminating centralized identity management. Each device maintains its own encrypted database, and you can configure folder-level access controls. The learning curve is higher than consumer services, but the transparency and self-hosting option appeal to security-conscious developers.
Self-Hosted Solutions
FileBrowser
FileBrowser provides a web-based file manager with built-in encryption support:
# Run with Docker
docker run -v /data:/data -p 8080:80 \
filebrowser/filebrowser
# Configure encryption in settings
filebrowser config set --encryption /path/to/keys
You control the server, can implement custom authentication, and pair with your own encryption layer. FileBrowser handles upload, download, and sharing through generated links with expiration times.
Nextcloud with End-to-End Encryption
Nextcloud offers comprehensive file sharing with optional end-to-end encryption:
# Enable end-to-end encryption app
occ app:enable end_to_end_encryption
# Configure encryption keys
occ encryption:enable
occ encryption:select-encryption-type masterkey
The end-to-end encryption feature stores files encrypted on the server, with decryption keys held only by users. However, server-side processing features become limited since the server cannot read file contents.
Cloud Services with Strong Developer Support
Tresorit
Tresorit focuses on zero-knowledge encryption with enterprise features:
# Tresorit CLI for automated transfers
tresorit send --path /path/to/file --expiry 7d --password
# Programmatic access via API
curl -X POST https://api.tresorit.com/files \
-H "Authorization: Bearer $TRESORIT_TOKEN" \
-F "file=@document.pdf"
The service provides comprehensive audit logging, which matters for compliance requirements. Pricing reflects the enterprise focus, making it most suitable for organizations with budget for premium solutions.
Proton Drive
Proton offers encrypted storage with increasing developer features:
# Proton Drive CLI (if configured)
proton-drive upload --file document.zip
# Or use WebDAV integration
mount.davfs https://drive.proton.me/ ~/proton-drive
Proton maintains strong privacy commitments with Swiss jurisdiction and open-source clients. The developer ecosystem is less mature than alternatives, but the privacy-first approach appeals to users uncomfortable with US-based services.
API-First Approaches for Developers
For teams building file sharing into applications, direct API access matters more than UI features.
Scaleway Object Storage with Server-Side Encryption
import boto3
# Configure client with encryption
s3 = boto3.client('s3',
endpoint_url='https://s3.fr-par.scw.cloud',
aws_access_key_id=os.environ['SCW_ACCESS_KEY'],
aws_secret_access_key=os.environ['SCW_SECRET_KEY'])
# Upload with server-side encryption
s3.put_object(
Bucket='secure-files',
Key='sensitive/report.pdf',
Body=open('report.pdf', 'rb'),
ServerSideEncryption='AES256'
)
This approach delegates encryption to the cloud provider while maintaining control over access policies. The provider handles key management, reducing operational complexity.
Cloudflare R2 with Customer-Managed Keys
# Upload via Workers API with encryption context
wrangler secret put ENCRYPTION_KEY
Cloudflare R2 offers zero egress fees and supports customer-provided encryption keys, giving you control over the encryption lifecycle without managing infrastructure.
Choosing the Right Solution
Select based on your threat model and workflow requirements.
For quick transfers between machines without cloud dependency, Magic Wormhole provides the fastest path to secure file movement. The direct connection model eliminates trust in third-party storage.
For encrypted cloud storage while maintaining usability, rclone with crypt offers flexibility across providers. You keep encryption keys while leveraging existing cloud accounts.
For continuous synchronization across devices with full control, Syncthing excels. The self-hosted nature removes recurring costs and places your data entirely within your infrastructure.
For team collaboration requiring audit trails and management features, Tresorit or Nextcloud provide the features but come with corresponding costs and complexity.
For application integration, services with robust APIs like Scaleway or Cloudflare R2 give you building blocks for custom implementations while handling the encryption primitives.
Regardless of choice, verify that encryption covers both transit and storage, that you control or understand key management, and that the service supports your required access patterns. The best tool fits naturally into your workflow without forcing security compromises.
Related Reading
- More guides coming soon.
Built by theluckystrike — More at zovo.one