Encryption you have to remember to switch on
Cloudreve's at-rest encryption is opt-in per storage policy, uses AES-256-CTR, and is never end-to-end - its own docs say every download is relayed and decrypted by the server, and that the master key and per-blob keys sit in the same database by default - its own docs warn they could be leaked together in a security incident. Cotton encrypts every chunk with streaming AES-GCM by default, plus optional client-side E2E folders the server cannot read.
A switchboard, not an engine
Cloudreve's job is to front-end backends you already have, so there is no documented content-addressed or deduplicated storage model of its own. If you already pay for OneDrive or S3, you are wrapping storage you already rent. That is the opposite philosophy from Cotton, which owns a chunked, content-addressed engine and treats dedup, versions, and snapshots as in-engine behavior.
Cross-platform sync and SSO are paywalled
Cloudreve's official desktop sync client is Windows-only and requires the paid Pro server; everyone else falls back to WebDAV, and OIDC SSO is also Pro-gated. Cotton's WebDAV rides the same chunk pipeline and accounts ship with passkeys and TOTP in the box.
Pro, or read-only
Cloudreve v4 added a paid Pro edition; per its docs a Pro instance with an expired license becomes read-only and blocks file modifications (the open-source Community edition is unaffected). Cotton is MIT-licensed with no paywalled core.
Pick the engine, or pick the aggregator
Pick Cloudreve to put one interface over storage you already own across many providers. Pick Cotton when you want a single engine that owns the bytes, encrypts them by default, deduplicates them, and previews them properly.