Besides providing data sharing, commercial cloud-based storage services (e.g., Dropbox) also enforce access control, i.e. permit users to decide who can access which data. In this paper we advocate the separation between the sharing of data and the access control function. We specifically promote an overlay approach which provides end-to-end encryption and empowers the end users with the possibility to enforce access control policies without involving the cloud provider itself. To this end, our proposal, named ABEBox, relies on the careful combination of i) attribute-based encryption for custom policy definition and management, with ii) proxy re-encryption to provide scalable re-keying and protection to key-scraping attacks, with a novel revocation procedure. Moreover, iii) we concretely embed our protection mechanisms inside a public domain virtual file system module to provide an overlay and trivial-to-use transparent service which can be deployed on top of any arbitrary cloud storage provider. © 2021 ACM.