Skip to main content

What is zero-knowledge encryption?

The provider holds your data, but never holds the keys. So it cannot read a single line you save. Here is what that really means.

6 min read Zeromatics

The short answer

Zero-knowledge encryption is a way of building software so the company that runs it cannot read your data. The provider stores your files and runs the service. But the keys that unlock your data are made on your own device and stay with you. Because the provider never holds those keys, it has no way to read what you saved.

"Zero-knowledge" here is an architecture, not a formal cryptographic standard. It is a term of art that describes how the system is wired: the server knows nothing about the content it holds. It is a separate idea from academic "zero-knowledge proofs", which are a different branch of cryptography.

How it works, step by step

Imagine you write a short note inside the app: "Settlement offer — £40,000." Here is the journey that note takes.

  1. You sign in. Your password never travels to the server. Instead, your device runs it through a key derivation function — a slow, deliberate recipe such as Argon2id — to produce a secret key. The slowness is on purpose: it makes guessing the password expensive for an attacker.
  2. You type the note. Before it leaves your browser, the app encrypts it with that key using authenticated encryption such as XChaCha20-Poly1305. "Authenticated" means the result is both scrambled and tamper-proof: if anyone changes one byte, decryption fails loudly.
  3. "Settlement offer — £40,000" is now a block of ciphertext: a meaningless string like "k7Qx…9fA". That block is what travels to the server. The readable words never leave your machine.
  4. The server stores the ciphertext. It can copy it, back it up and serve it to you again later. But it cannot turn it back into words, because it does not have the key.
  5. When you open the note again, your device fetches the ciphertext, derives the key from your password once more, and decrypts it locally. Only then does "Settlement offer — £40,000" reappear, on your screen, in your session.

Sharing works the same way. To let a colleague read the note, your device wraps the note's key for them using a key exchange such as X25519 — so the key passes from you to them without the server ever seeing it in the clear.

What it changes

Most software encrypts data "at rest" and "in transit", which is good. But the provider still keeps the keys, so it — and anyone who breaks in — can read everything. Zero-knowledge moves the key off the server entirely. That changes the worst day of the year.

  • A breach leaks ciphertext, not secrets. If attackers steal the whole database, they get blocks like "k7Qx…9fA" — not your clients, your prices, your cases.
  • A subpoena to the vendor returns ciphertext. The provider can only hand over what it has, and it has no readable copy and no key.
  • A rogue employee sees nothing. An admin with full server access still only sees scrambled blocks. There is no "view as user" that exposes content.
Key takeaways
  • Zero-knowledge means the provider stores your data but holds none of the keys.
  • Keys are derived on your device from your password, using a KDF like Argon2id.
  • Your data is encrypted before it leaves the browser, so the server only ever sees ciphertext.
  • A breach, a subpoena or a rogue admin all return scrambled blocks, not your content.

Common misconceptions

"Zero-knowledge means I cannot recover my account." Not quite, but it does change recovery. Since the provider cannot reset your data the way it resets a normal password, well-built systems give you a recovery key or a recovery code to keep safe. The honest trade-off is real: power over your data also means responsibility for your keys.

"If the vendor cannot read my data, the app cannot do anything useful." Modern apps do the useful work — search, sharing, even private AI — on your device, after decryption, or over data you have unlocked. The server stays blind while the features stay rich.

"It is just marketing." It can be — which is why the detail matters. Ask where keys are made and whether the provider can technically derive them. The deep dive on our <a href="security">security page</a> walks through exactly where keys live and what the server can and cannot see.

"Zero-knowledge and the cloud cannot mix." They mix fine. The cloud is still where your data lives, syncs and backs up. The only thing that changes is that the cloud holds ciphertext and you hold the keys. You keep the convenience of the cloud and drop the requirement to trust it with readable data.

Why it is worth the effort

Zero-knowledge is harder to build than ordinary software. The payoff is that a leak stops being a catastrophe. When the keys are not on the server, the data on the server is just noise. Zeromatics builds every product this way — your work is sealed under keys we never hold — but the idea is bigger than any one vendor, and worth understanding before you trust anyone with sensitive data.

See zero-knowledge working, live.

Watch your own data turn to ciphertext before it leaves the browser. The demo takes two minutes.

Request a demo Read the security architecture