Whether you don't trust government agencies or simply want maximum security, reliability and integrity Degoo's top secret storage is the choice for you.


The Top Secret folder is currently accessible only through the Android app, via Menu > Files > Top Secret.

What is the top secret storage?

Top secret storage is what makes Degoo the most secure cloud drive in the world.

The top secret feature in Degoo is a method of making sure it's technically impossible for anyone but you to access your uploaded files. The top secret feature consist of two parts; zero knowledge encryption of your files and cross-continent storage replication. You choose a passphrase known only by you, not stored anywhere in Degoo, that's used to encrypt and sign your uploaded files to ensure maximum security. Your files are encoded into individually signed chunks with redundancy and uploaded to multiple storage providers for maximum security and reliability.

Important! You need to make sure to store your passphrase somewhere safe. Since the passphrase isn't stored anywhere in Degoo you can't reset it if you forget it.

Part 1: Zero knowledge encryption

A complex concept, zero knowledge encryption encrypts a user’s files with randomly generated AES-256 encryption keys. Each generated key is stored along with the encrypted files and then encrypted with a password only known by the user.

Key Derivation & Function

    • The user’s password derives a key using the PKCS 5 V2.0 Scheme 2.
    • The derived key is used to encrypt both of the user’s files, and the AES-256 encryption key used to encrypt the meta data stored about the files

AES-256 keys

    • The AES-256 keys are randomly generated and encrypt each block of data that’s uploaded to a user’s Degoo account

    • A user-constant AES-256 encryption key is also generated and encrypts the metadata about each file

    • All symmetric encryption is done using AES/CBC/PKCs5Padding

RSA-4094 Key Pair

    • The randomly generated AES-256 encryption keys are encrypted with a public RSA-4096 key
    • The corresponding private key is needed to decrypt the AES key when a file is downloaded

HMAC-SHA1

  • When a file is uploaded, a HMAC signature is produced and then verified the file is downloaded, ensuring the integrity of that file

Storing Encryption & Signing Keys

    • A user’s encryption and signing keys are only uploaded to Degoo's server once they are encrypted using the user’s password with the exception of the public RSA-4096 key. The public RSA-4096 can only be used to encrypt, not decrypt

    • By storing it without any additional encryption, files can be uploaded securely in the background, without the user needing to enter a password every time the app starts

    • Keys are uploaded to ensure that the user can recover and download files on whichever device Degoo is installed without having to move them manually to the new device

    • Keys can only be decrypted with the user’s password and are only decrypted in memory on each device when files are downloaded

Part 2: Cross-Continent Storage Replication

To improve security even further and to ensure reliability, files are also stored across multiple data centers and storage providers.

Blocks of Data

  • Files are encoded into blocks of data, usually around 8 MB each, for improved performance and to reduce bottlenecks

Reed-Solomon codes

    • One block of data is coded with Reed-Solomon error-correcting codes
• This produces four shards of data in which the original data is scrambled, further improving security
    • The encoding is made with a 4/3 redundancy, meaning that any 3 shards are needed to reconstruct the original block of data

HMAC-SHA1

  • In addition, each shard also produces an HMAC signature that's verified upon downloading to also ensure the integrity of each shard

Storage replication

    • Each shard is uploaded to a different data center across multiple storage providers, ensuring that a user’s file are protected from a storage provider abusing its privacy policy or any national agency that tries to access the files

    • The storage replication together with the redundancy also improves the reliability of user files if a data center should experience downtime


While highly technical, this encryption process is what makes Degoo the most secure cloud drive in the world. What makes it unique, however, is that Degoo allows for this to be an option for its users. At its core, zero knowledge encryption isn’t very user friendly and the fact that a user’s password isn’t recoverable by Degoo can cause problems for some if it’s forgotten, lost, etc. Giving users the choice to use this top secret storage makes all the difference!