Table of Contents
What Zero-Knowledge Encryption Means
Zero-knowledge encryption is a security model where a service provider encrypts your data in such a way that only you can decrypt it. The provider stores your encrypted data on their servers but does not possess the encryption key and therefore cannot access your data. Even if the provider's servers are breached, subpoenaed by a government, or targeted by a rogue employee, your data remains encrypted and unreadable.
The term "zero-knowledge" refers to the fact that the provider has zero knowledge of the content they are storing. They handle encrypted blobs of data that are meaningless without your personal encryption key, which is derived from your password and never transmitted to the server.
This stands in stark contrast to the model used by most cloud services, where the provider holds the encryption keys and can decrypt your data at will. Services like standard Google Drive, Dropbox, and iCloud encrypt your data in transit and at rest, but they retain the ability to decrypt it. This means they can scan your files for various purposes, comply with government data requests, and their employees could theoretically access your data.
How End-to-End Encryption Enables Zero Knowledge
Zero-knowledge encryption is built on end-to-end encryption (E2EE), where data is encrypted on your device before it is transmitted anywhere. The encryption key is derived from your password using a key derivation function like Argon2, bcrypt, or PBKDF2. This derived key encrypts your data locally, and only the encrypted version is sent to the server.
When you need to access your data, the encrypted version is downloaded to your device, and your locally derived key decrypts it. At no point does the plaintext data or the encryption key exist on the server. The entire encryption and decryption process happens on your device.
This architecture means that the server only ever sees encrypted data. Even the authentication process is designed so that the server can verify your identity without learning your password. This is typically accomplished through protocols like Secure Remote Password (SRP) or by sending only a hash of your password that is different from the key used for encryption.
You can experience client-side encryption firsthand with our text encryption tool, which encrypts your text directly in your browser before it ever leaves your device.
Zero-Knowledge Proofs: A Related Concept
While zero-knowledge encryption and zero-knowledge proofs share a name, they are related but distinct concepts. A zero-knowledge proof is a cryptographic method that allows one party to prove to another that they know a value without revealing the value itself.
For example, imagine you want to prove you know the password to an account without actually sending the password. A zero-knowledge proof allows you to mathematically demonstrate knowledge of the password while revealing nothing about the password itself. The verifier becomes convinced you know the secret without learning anything about what the secret is.
Zero-knowledge proofs have applications in blockchain privacy, authentication systems, and identity verification. They represent an advanced area of cryptography that is increasingly being incorporated into practical applications.
Services Using Zero-Knowledge Encryption
Several privacy-focused services have built their entire business model around zero-knowledge encryption.
Proton (Mail, Drive, Calendar)
Proton Mail was one of the first mainstream email services to implement zero-knowledge encryption. Emails stored on Proton's servers are encrypted with the user's key, making them inaccessible to Proton. Proton has expanded to include Proton Drive for file storage and Proton Calendar, all using the same zero-knowledge architecture. Based in Switzerland, Proton also benefits from strong Swiss privacy laws.
Tresorit
Tresorit is a cloud storage and file sharing service with zero-knowledge encryption. Files are encrypted on the user's device before upload, and even Tresorit employees cannot access stored files. Tresorit is popular with businesses that need to share sensitive documents securely, such as law firms and healthcare organizations.
SpiderOak
SpiderOak pioneered the concept of "No Knowledge" cloud backup. Their service encrypts all data client-side before upload, and SpiderOak has no ability to access user files. SpiderOak was notably recommended by Edward Snowden as a privacy-respecting alternative to mainstream cloud storage providers.
Standard Notes
Standard Notes is an encrypted note-taking application where all notes are encrypted on your device before syncing. The service cannot read your notes, and your data is portable because you always have access to the encryption keys.
Bitwarden
Bitwarden, an open-source password manager, uses zero-knowledge encryption for your password vault. Your master password is never sent to Bitwarden's servers. Instead, it is used to derive an encryption key locally, and only the encrypted vault is stored on the server.
The Trade-Offs of Zero-Knowledge Encryption
Zero-knowledge encryption provides strong privacy guarantees, but it comes with significant trade-offs that users must understand.
No Password Recovery
The most impactful trade-off is that if you forget your password, your data is permanently lost. Because the service provider does not have your encryption key, they cannot reset your password and give you access to your data. There is no "Forgot Password" button that restores access to your encrypted files. This makes using a reliable password generator and storing your master password securely absolutely essential.
Limited Server-Side Features
Services cannot perform operations on data they cannot read. This means no server-side search indexing, no automatic file previews, no spam filtering based on content, and limited collaboration features. Each of these capabilities requires the server to access your data, which zero-knowledge encryption prevents.
Performance Considerations
Client-side encryption and decryption consume processing power on your device. For large files or extensive databases, this can result in slower performance compared to services where the server handles processing. Modern devices handle this well for most use cases, but it is a factor for large-scale data operations.
Is Zero-Knowledge Encryption Right for You
If you handle sensitive personal information, confidential business data, medical records, legal documents, or any data that you want to remain private regardless of server breaches or government requests, zero-knowledge encryption is the strongest protection available from a cloud service. The trade-offs are real but manageable with good password practices and an understanding of the limitations.
For everyday users, even adopting zero-knowledge encryption for your most sensitive data, like your password manager and important documents, provides meaningful privacy improvement without requiring a complete shift in how you use technology.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
