From the Rubble | Digital Sovereignty Series | Episode 3

TLDR: Google Drive, OneDrive, and Dropbox all hold the encryption keys to your files — meaning they can read everything you store, and so can anyone who compels them legally. Filen is zero-knowledge encrypted: your files are encrypted before they leave your machine, and Filen structurally cannot read them. This covers installing Filen as an AppImage on immutable Linux, the sync vs. mount decision, getting your Obsidian vault syncing across every device, and why this is the file layer the rest of the sovereign stack is built on.

series: [“Digital Sovereignty”]

At some point you have to put your files somewhere.

On Windows the path of least resistance is OneDrive — it’s already integrated, it prompts you constantly, and before long your documents are living on Microsoft’s servers whether you thought about it or not. Google Drive, Dropbox, iCloud — same story with different logos. Convenient, deeply integrated, and built on a fundamental arrangement you probably haven’t looked at carefully: your files live on their infrastructure, under their terms, readable by them or any government agency with the right paperwork.

“But it’s encrypted,” you say. Yes. Encrypted in transit, and encrypted at rest on their servers — with keys they hold. Which means they can read your files. Which means anyone who can compel them legally can read your files. Which means it’s not really your data, it’s your data that they’re storing for you under conditions you don’t control.

That’s the arrangement you’re accepting when you use mainstream cloud storage. Most people don’t think about it until something goes wrong.

Filen is a different arrangement entirely.

series: [“Digital Sovereignty”]

Zero-Knowledge Encryption — What It Actually Means

Filen is end-to-end encrypted with a zero-knowledge architecture. These words get thrown around a lot, so let’s be specific about what they mean in practice.

End-to-end encrypted means your files are encrypted on your device before they leave it. The data traveling to Filen’s servers is already encrypted. The data sitting on Filen’s servers is encrypted. Only you hold the decryption keys.

Zero-knowledge means Filen has no access to those keys. They cannot read your files. Not “they promise not to” — they structurally cannot. The architecture prevents it. If Filen receives a government demand for your files, they can hand over encrypted data that is useless without your keys, which they don’t have.

This is the meaningful distinction between Filen and Google Drive. Google holds the keys to your Google Drive data. Filen does not hold the keys to your Filen data. That’s not a matter of trust — it’s a matter of architecture.

Filen is also open source. The client code is publicly auditable. You don’t have to take their word for how the encryption works — you can read the implementation.

series: [“Digital Sovereignty”]

The Installation Problem on Immutable Linux

Here’s where the first wrestling match happened.

Filen distributes their Linux desktop client as an AppImage — a self-contained application format that doesn’t require installation in the traditional sense. You download the file, mark it executable, run it. On traditional Linux systems this is clean and simple.

On immutable systems like Bazzite and Aurora, it requires a bit more thought.

The base filesystem is read-only. You can’t just drop an AppImage in /usr/local/bin and call it done. The recommended approach is to put your AppImages in your home directory — specifically ~/.local/bin or a dedicated ~/Applications folder — which is read-write and persists across system updates.

# Create an Applications directory in your home folder
mkdir -p ~/Applications

# Move the downloaded AppImage there
mv ~/Downloads/filen-desktop-*.AppImage ~/Applications/filen.AppImage

# Make it executable
chmod +x ~/Applications/filen.AppImage

# Run it
~/Applications/filen.AppImage

For a cleaner desktop integration — so Filen appears in your app launcher like a normal application — you can create a .desktop file:

# Create the desktop entry
cat > ~/.local/share/applications/filen.desktop << EOF
[Desktop Entry]
Name=Filen
Exec=/home/yourusername/Applications/filen.AppImage
Icon=filen
Type=Application
Categories=Utility;
EOF

Replace yourusername with your actual username. After saving, the application should appear in your launcher.

series: [“Digital Sovereignty”]

Sync vs. Mount — Choosing Your Mode

Filen offers two primary ways to access your files: sync and virtual drive mount.

Sync downloads files to a local folder on your machine and keeps them in sync with your Filen cloud storage. Changes made locally sync to the cloud. Changes made on another device sync back down. You always have local copies — fast access, works offline.

Virtual drive mount exposes your Filen storage as a network drive. Files aren’t stored locally — they’re streamed on demand. Saves local disk space. Requires an active internet connection to access anything.

For the Obsidian use case — which is a primary reason I chose Filen — sync is the right choice. Obsidian works on local files. The vault needs to exist locally for Obsidian to open and edit it. Sync keeps a local copy that Obsidian can work with natively, and propagates changes to Filen’s servers and then to any other device where you’re running Filen sync.

The virtual drive mount is useful for large file archives — video projects, backups, things you need access to occasionally but don’t want eating local disk space. For active working files, sync.

series: [“Digital Sovereignty”]

The FUSE Limitation

The virtual drive mount uses FUSE — Filesystem in Userspace — to present cloud storage as a local filesystem. This works well on traditional Linux systems. On immutable systems it requires FUSE support, which may need to be explicitly enabled.

On Bazzite and Aurora, FUSE is generally available but worth verifying if the virtual drive isn’t mounting correctly:

# Check if FUSE is available
ls /dev/fuse

# If you need to install FUSE support
sudo dnf install fuse fuse-libs

If you’re sticking to sync mode for your working files — which I’d recommend — you won’t hit this limitation. It’s only relevant if you’re using the virtual drive mount feature.

series: [“Digital Sovereignty”]

Setting Up Obsidian Sync Through Filen

This is the workflow that replaced a patchwork of manual approaches for keeping notes in sync across machines.

The setup:

  1. Install Filen desktop on all machines you use
  2. In Filen, create a folder for your Obsidian vault — something like obsidian/main-vault
  3. Set that folder as a sync target on your primary machine, pointed at where your vault currently lives
  4. Let the initial sync complete — this uploads your existing vault to Filen
  5. On each additional machine, install Filen desktop, sync the same folder to the same local path
  6. Open Obsidian on the second machine, point it at the synced local folder as the vault location

From that point: changes made in Obsidian on any machine sync to Filen’s servers and propagate to every other machine running the Filen sync client. End-to-end encrypted throughout. No Obsidian Sync subscription required. No third party reading your notes.

One important practice: close Obsidian before switching machines, or at least let the Filen sync finish before opening the vault on another device. Simultaneous edits on multiple machines can create conflicts — not data loss, but messy merge situations. The workflow discipline is simple: finish your session, let it sync, then open on the next machine.

series: [“Digital Sovereignty”]

Autostart — Making Filen Run in the Background

Filen sync only works when the client is running. For seamless sync without thinking about it, configure it to start automatically when you log in.

In most desktop environments, Filen has an autostart option in its own settings — look for a system tray icon option or an “autostart” toggle in preferences. Enable it there if available.

If you need to set it up manually:

# Create autostart entry
cat > ~/.config/autostart/filen.desktop << EOF
[Desktop Entry]
Name=Filen
Exec=/home/yourusername/Applications/filen.AppImage --hidden
Type=Application
X-GNOME-Autostart-enabled=true
EOF

The --hidden flag starts Filen minimized to the system tray rather than opening the full window on login. Cleaner startup experience.

series: [“Digital Sovereignty”]

Why Not Syncthing?

Worth acknowledging: Syncthing is another popular option in the sovereignty-minded Linux community. It’s peer-to-peer sync between your own devices, fully open source, no cloud servers involved at all.

For a pure local-network or device-to-device sync scenario, Syncthing is excellent and worth considering. The reason I chose Filen over Syncthing comes down to the use case: I want my files accessible from anywhere, including situations where my devices aren’t on the same network. Filen’s cloud layer provides that. Syncthing requires either both devices to be online simultaneously or a relay server in the middle.

If you’re syncing between devices that are frequently on the same network and you want zero cloud involvement, Syncthing is worth a look. If you want true anywhere-access with proper encryption, Filen.

series: [“Digital Sovereignty”]

The Storage Tier Question

Filen offers a free tier — 10GB at the time of writing — which is enough to get started and evaluate whether it fits your workflow. Paid tiers start at reasonable prices for substantially more storage.

For reference: my full Obsidian vault, including attachments, is well under 1GB. The free tier covers the primary use case for most people.

For video projects, large backups, or anything that pushes past 10GB, a paid tier is worth it. The pricing is competitive with mainstream cloud storage and you’re getting meaningfully better privacy for the same money.

series: [“Digital Sovereignty”]

The Sovereignty Accounting

Let’s run the comparison through the values filter.

Google Drive: Files readable by Google. Subject to US jurisdiction. Business model requires data analysis. Shared encryption keys.

OneDrive: Files readable by Microsoft — the same company we just left. Subject to US jurisdiction. Integrated with an operating system we’ve established we don’t trust.

Dropbox: Improved from their early days but still holds encryption keys. US jurisdiction. VC-funded with standard growth pressures.

Filen: Zero-knowledge architecture — they cannot read your files. Open source client — auditable. EU-based company — GDPR jurisdiction with stronger privacy floor than US. Business model is straightforward subscription — you’re the customer, not the product.

The choice isn’t close once you run it through the filter.

series: [“Digital Sovereignty”]

Resources

  • Filen: filen.io — desktop app, mobile apps, web interface
  • Filen GitHub: github.com/FilenCloudDienste — open source clients
  • Obsidian: obsidian.md — the local-first knowledge base Filen sync serves
  • Syncthing: syncthing.net — peer-to-peer alternative for local-network sync scenarios
  • AppImage format: appimage.org — documentation on the format and how it works

series: [“Digital Sovereignty”]

Next episode: The AI that doesn’t surveil you. Installing Claude Desktop on Linux, the OAuth rabbit hole, MCP filesystem access, and why giving AI access to your local files is different from giving it to the cloud.

series: [“Digital Sovereignty”]

From the Rubble is written by Kyle — Marine veteran, FDN-P practitioner, 30-year conspiracy realist. Digital sovereignty, health sovereignty, and the overlap between them. No corporate funding. No ads. No permission required.