What’s zero knowledge cloud storage, and how does it work?

Zero-knowledge encrypted cloud storage provides critical privacy and security benefits. How does it work, and what are the best end-to-end encrypted cloud providers?

Cloud storage provider logos for different encrypted storage providers.

With the migration to the cloud, tens of millions of individuals and businesses have transferred their most important documents, records, and data from local hard drives to cloud storage services, from Dropbox and Google Drive to Microsoft OneDrive and Apple’s iCloud. Almost every big tech company offers a consumer cloud storage product, allowing consumers to easily keep information portable from device to device and synchronize critical documents without worrying about security and data loss. This includes mobile apps, desktop sync folders, and sharing capabilities for sending folders or large files to clients or contacts.Cloud storage comes with a lot of incredible positive benefits for consumers: It can free up space on a device, including both phones and desktop computers, that would otherwise be used to store data that would be infrequently accessed. Another reason is that cloud storage can be used to store data that is sensitive or confidential. This can help to keep data safe from unauthorized access - for example, if you left a computer unlocked or happened to lose a device.However, encrypted cloud storage has become a necessity for cloud users, as customers realize the costs or potential risks of data theft, exfiltration, loss, or misuse. As a result, different encryption protocols and security mechanisms have been devised to keep cloud storage secure, from adding two factor authentication method (2FA codes, hardware devices, or SMS codes) to securing data with end-to-end encryption, or zero-knowledge encryption.Zero knowledge encryption is a type of encryption where the sender and receiver of the encrypted data share no information about the contents of the data. The sender encrypts the data using a key known only to them, and the receiver decrypts the data using a key known only to them. This type of encryption is often used in situations where the sender and receiver want to keep the contents of the data confidential, such as in a business setting. Note that end-to-end encryption and zero-knowledge encryption are used interchangeably; the term client-side encryption also refers to the same technical concept where only users, and not providers, have access to unencrypted data.

Why does zero knowledge encryption matter?

Zero knowledge encryption (which is functionally the same as end-to-end encryption) is a must-have security property that comes with no usability tradeoffs. Below, we walk through many of the most critical benefits of using end-to-end encryption for your files.1. Privacy and encryption help protect our personal information from being accessed and used without our permission. When stored unencrypted, anyone with access to the stored bytes of your files will have access to read, use, edit, or share customer data. Even with symmetric encryption, where a single encryption key is used to encrypt and decrypt a file, users must trust cloud services (such as Dropbox, Box, Google, Microsoft, Apple) with complete access to their data. In a modern world with constant sensitive data sharing, it is unacceptable that anyone except designated participants would have access to such sensitive information.2. They can help prevent identity theft and fraud. End-to-end encryption adds another layer of protection from your personal information being shared, exfiltrated, and used harmfully, such as for identity theft or impersonation. Even if you have good security practices, cloud providers and communication products have previously suffered catastrophic data breaches, wherein companies’ files and databases are exposed from providers’ data centers. However, with zero knowledge encryption, no one - not even law enforcement - could have access to the information you upload to a cloud storage provider.3. They can help protect our financial information. Data privacy for financial information is critical, particularly for businesses that may store client orders or financial information in the cloud. Leaving company or client information exposed to hackers could prove catastrophic for businesses, hence the critical need for zero knowledge encryption. Zero knowledge encryption can also help with GDPR, CLOUD Act, and CCPA compliance, where it is critical to know that no one else has access to client or user information.4. They can help protect our medical information. Cloud infrastructure now stores our most sensitive medical information, as doctors and care providers switch to the cloud. However, individuals have both an expectation of privacy for this information, as well as legal rights to knowing that no other individuals (including cloud service providers) can ever have access to it. In the context of medical records, zero knowledge encryption is thus a must.5. They can help protect our online activity from being tracked and monitored. Zero knowledge and zero access encryption adds critical benefits in preventing individuals from being tracked. With no information about the content of information shared with cloud providers or data sharing tech companies, individuals have significantly more latitude to be creative and expressive on the web. Some end-to-end encryption protocols, like the Signal Protocol, also include provisions for deniability, wherein it is impossible to prove that an individual user sent or received a particular message.6. Protection from ransomware and spyware. By using cloud services, you are able to view, edit, and share files on the web without download local files. This adds significant protection to threats from ransomware, spyware, or other attacks possible during data transfer.7. They can help prevent online censorship. In the last few years, cloud storage users have unfortunately cited numerous incidents wherein cloud storage providers have banned user accounts without warning. In one case, Google Drive automatically banned a journalist for distributing “misleading information;” in another instance, Dropbox banned the creator of the TV show Rick and Morty after automatically detecting that he had content from the TV show stored in his storage provider. In a world where we store more private information in our cloud storage solutions than in our homes, being banned without warning is unacceptable. End-to-end encryption preserves this freedom by keeping our information private.

Zero-knowledge encryption: Key use cases

VPNs: A VPN, or Virtual Private Network, allows you to create a secure connection to another network over the Internet. VPNs can be used to access region-restricted websites, shield your browsing activity from prying eyes on public Wi-Fi, and more. Even with internet security protocols like TLS and SSL, VPNs can route your traffic to other servers such that even internet service providers do not know the websites you visit.But if you're using public Wi-Fi or connecting to a website that isn't encrypted, a VPN can help protect your information. A VPN can also be used to bypass government censorship. In some countries, the government blocks certain websites or limits access to the Internet. A VPN can help you get around these restrictions by routing your traffic through a server in a different country. Most VPNs use zero knowledge encryption to protect the data passing between the VPN client and server. This type of encryption ensures that the data cannot be read or tampered with by anyone other than the intended recipient.Messaging: Similar to cloud storage, end-to-end encrypted messaging is a type of communication where the contents of the message are encrypted so that only the sender and intended recipient can view the contents. This is done by using a special key or algorithm that is known only to the sender and recipient. This type of communication is often used when sensitive information needs to be exchanged, such as in military or diplomatic communications.Most end-to-end encrypted messaging schemes use asymmetric encryption, wherein users’ public keys are known to everyone, but private keys are only known to the intended recipient. Encrypted messaging can be done through a variety of methods, including email, instant messaging, and even regular mail. In most cases, the sender and recipient will need to use the same software or app in order to exchange messages. There are a number of different apps and programs that offer encrypted messaging, such as Signal, WhatsApp, and Telegram. In this blog, we write more about E2EE messaging providers and protocols.Email, file storage, and more: Given zero knowledge encryption’s critical benefits for privacy and censorship resistance, it is being continuously applied to more cloud products, from note taking to email. Skiff, ProtonMail, and Tutanota are private end-to-end encrypted, zero knowledge email providers, and all offer some component of secure cloud storage product.

End-to-end encrypted, zero knowledge cloud providers

In this section, we’ll briefly walk through some of the best zero-knowledge cloud providers, chosen for their ease of use, storage space offerings, file sharing capabilities, and security features. The best cloud storage provider will require your selection depending on device compatibility, file sharing or link sharing needs, and general user friendliness. Most providers offer free cloud storage plans, paid plans for more storage space, and business plans for enterprise customers.Skiff is a privacy-first, end-to-end encrypted, user-friendly workspace, including email (a full Gmail or Outlook replacement with end-to-end encryption built-in), file storage and sharing (replacing Dropbox, Google Drive, or Microsoft OneDrive), as well as collaborative wikis, notes, and files.Skiff offers 10 GB of free cloud storage on the free plan and makes it easy to share encrypted files and folders across multiple teams, even with password protection. Skiff also allows sharing links. Notably, all of Skiff’s encryption code is open source, and the company also offers a lengthy whitepaper as well as numerous technical blogs documenting how the product works.Tresorit is a Swiss-based zero-knowledge cloud storage provider. Tresorit has been well regarded for ease of use and compliance-focused features; the company also offers applications on numerous devices (iOS, Android, Mac/MacOS, Windows) to ensure easy file sync. Tresorit also offers cloud backup products for local hard drives and data. Note that the company was recently acquired by the Swiss government. Tresorit also has recently offered a Linux client as well.Sync.com has become a relatively popular alternative to big tech cloud storage and online backup providers. Although Sync.com markets “zero knowledge” and “end-to-end encryption", technical document is generally light, and the company has a relatively brief whitepaper describing technical models that does not add significant technical documentation to how the product works. However, even without open-source code, it remains a well known offering in end-to-end encrypted cloud providers.Spideroak: Spideroak’s storage products are marketed more towards enterprise customers in space and defense. They are generally less consumer friendly than some of the alternatives mentioned above.Pcloud: Pcloud is another popular end-to-end encrypted cloud storage provider that has started to expand to offer more cloud-based, privacy-respecting utilities for consumers. This includes a new password manager product for storing your passwords across multiple devices, and all end-to-end encrypted. Pcloud is slightly less user friendly and consumer oriented than the other services mentioned, and it is instead generally marketed to enterprise customers and users.