Updated on: September 15, 2024
Zero-knowledge encryption (ZKE) is a highly secure method for sharing information. Under this framework, no one but the intended recipient will be able to read the message or data. This provides an extra level of privacy over other types of encryption, which are more vulnerable to snooping.
The distinguishing feature of ZKE is the fact that the key is only available to the recipient. The ‘zero-knowledge’ part means that even the service sending the data doesn’t have the key needed to decrypt it. Without this key, anyone looking at the data will only see a mess of numbers and letters. This is great for privacy, but it also means that if you lose your key (which could be tied to your password or your device), there’s no way to ever recover your data. Some services, like VPNs and many cloud storage providers, rely on processing data to function and are therefore incompatible with ZKE.
Lots of services and organizations use ZKE to enhance their overall privacy. Companies often require ZKE when handling health data, for example, and a few privacy-focused messaging apps like Signal also take advantage of ZKE. Basically, most services or apps that handle sensitive data can benefit from ZKE. All the best password managers use zero-knowledge encryption to protect users’s credentials — 1Password is my favorite, and it uses ZKE alongside a host of other features to keep your data safe.
What Does Zero-Knowledge Encryption Do?
Encryption is the process of converting data into an unreadable form. To get something intelligible out of an encrypted message, you need a unique decryption key. Without one, the message will just appear as a random jumble of letters and numbers. The key will return the data to its original form. This means that, without a decryption key, anyone who is able to intercept the message will not be able to read its content.
Encryption plays a big role in cybersecurity, and there are many encryption methods out there. Decryption keys are generally stored on the servers of the service transmitting the data. In many cases, this is safe enough. The main problem is that someone at the company could use the decryption key to read all of the messages sent through the service. Alternatively, hackers could break in and steal the keys, or a government could demand that they be handed over.
Zero-knowledge encryption gets around these problems by storing decryption keys exclusively on user devices. Since companies and third parties can’t access keys, there’s no way for them to read your files or messages. Hackers or governments won’t be able to get a hold of them either.
As you could probably guess, ZKE is ideally suited for secure messaging apps, cloud storage providers, and other tools dealing with sensitive information. You probably won’t be surprised that the best password managers like 1Password and
There is one major drawback when it comes to using ZKE though. If the company doesn’t keep a record of your decryption key, it will be impossible for you to recover your data if you forget the key or lose the device storing it. Depending on the service, you may even lose access to your account.
Luckily the best services offer solutions. For example, with 1Password, your decryption key is essentially your master password. If you forget it, you can’t open your vault. However, when you create your account, 1Password gives you a secret secondary key that you can write down and use to get back into your vault if you forget your master password. The best password managers all come with some way to recover your account if you lose your key.
What Services Use Zero-Knowledge Encryption?
There aren’t many products that take full advantage of ZKE, but there are a few:
- Password managers. Many password managers, including 1Password and
Dashlane , take advantage of ZKE. This ensures that nobody, not the company nor the hackers who could breach the company, can see your encryption key. You’re the only one with access to your vault. Note that the password managers included with browsers like Chrome do not use zero-knowledge encryption. This is one reason (there are many others, believe me) why premium passengers are far more secure.
- Encrypted messaging services. Secure messaging apps like Signal and Telegram use ZKE to increase privacy, as does KeeperChat, a feature included with the Keeper password manager. The reason they use it is simple: if a messaging service kept a copy of your encryption key, rogue employees, hackers, or local authorities could potentially pull up your key and read your entire conversation during an investigation.
- Cloud storage services. Many cloud storage services utilize some form of ZKE to keep your important files safe. Tresorit and Proton Drive both store your encryption key locally, so their respective companies can never access it.
- File encryption software. File encryption tools like NordLocker let you encrypt your data with a locally stored key before uploading it to the cloud. This ensures that even if their clouds are breached, your files are safe from decryption. This also means that you have to be extra careful with those encrypted files. If you lose your master password, you could lose them. Other file encryption tools, like the file vaults included with NordPass and 1Password, also make use of ZKE.
Some products and services have security protocols in place that replicate the function of ZKE without disrupting their normal activities. They’re fairly rare, but they include:
- VPNs. VPNs replicate ZKE through the use of a no-logs policy. These policies prevent businesses from storing your data. ExpressVPN, for example, deletes your encryption key and data after you close the VPN. While it’s not exactly ZKE, it functionally means that the company won’t be storing encryption keys (except during the session).
- Blockchains: Many blockchains use zero-knowledge proofs to keep users private. This allows the blockchain service to verify the proof of a user’s account without any of that user’s information being shared to the blockchain’s owner or other users. It allows for secure transactions without a loss of privacy.
Not every security product uses zero-knowledge encryption, because it doesn’t always help. For example, take a traditional antivirus. These work by sending logs of what malware they caught, including zero-day malware found on your system, and by scraping data about your machine to optimize its protection. If they were to employ ZKE, it would (in most cases) make it a lot harder for that antivirus to protect you. So even the best antiviruses forgo zero-knowledge encryption.
Editors' Note: ExpressVPN and this site are in the same ownership group.
Do I Need Zero-Knowledge Encryption?
It depends on the product you’re using and what you’re doing with it. Some products, like password managers, absolutely need it. I strongly prefer messaging apps that use ZKE, but it might not matter to you. It all depends on the type of messages you send and how much you value privacy and security. Cloud storage services and other services vary. It’s theoretically safer, but many products are secure enough without it. If you don’t store lots of sensitive files in the cloud, you may be fine without ZKE. It depends on how much you value your privacy (and how many secrets you have).
Password managers benefit the most from ZKE, since passwords are the very definition of sensitive data. A company being able to see all of your passwords simply isn’t safe. While not everyone uses ZKE, top password managers like 1Password do. Many mainstream password managers, like Chrome’s, do not use ZKE, making them less secure by default than products that do use it.
Most mainstream cloud storage services do not use ZKE, which could be a security problem for you. This includes OneDrive, Google Drive, and even Dropbox. That’s not to say any of those are unsafe — they simply lack this one feature.
VPNs don’t need ZKE. As I explained above, the best VPNs use a different security feature called a no-logs policy. Rather than not keeping a copy of your key, they do not store it after you finish your session on the VPN. ExpressVPN and many other options couple a no-logs policy with RAM-only servers to ensure that none of your data is logged.
Other security products, like antiviruses, also rarely use ZKE. If they do include it, it usually only extends to one or two features within the overall antivirus suite. Antiviruses rely on collecting user data, including threat reports and zero-day malware strains, so preventing themselves from collecting user data would actively go against their purpose (usually).
Just note that most security products are not currently using zero-knowledge encryption. Processing customer data is usually vital for a company to operate, and storing keys is how their customer service can help you restore lost data. Without storing your encryption key, those companies wouldn’t be able to provide as many customer support or recovery options as they do. It could even stunt their ability to keep you safe if they rely on customer data to improve their services.
Overall, you should consider your individual security needs when it comes to zero-knowledge encryption. It’s more secure than traditional encryption, but it’s not without some issues. In my opinion, it’s most vital in tools like password managers.
Frequently Asked Questions
Do most VPNs use zero-knowledge encryption?
No, most VPNs do not use zero-knowledge encryption, but that doesn’t mean they’re unsafe. If a VPN company has a good no-logs policy, that means that they don’t log or store your data. While this means that some data is stored during use, the moment you close your VPN that data is erased.
VPNs like ExpressVPN have their no-log policies independently audited to prove that the company has no way to access your data. It’s not the exact same as ZKE, but it’s a functional alternative that companies use when they still need to process your data to operate.
How does zero-knowledge encryption differ from regular encryption?
The main way it differs is that a company cannot see your encryption key. Normally, the company keeps a copy of your decryption key. It’s not sinister — it helps with account recovery and support. However, it can also be requested by law enforcement during investigations, plus, if a hacker gets access to the company, they could also get your key.
ZKE is safer because it removes the risk of the company mishandling or leaking your data, being hacked, or sharing data with local authorities (since they don’t have a way to see it).
Is a product unsafe without zero-knowledge encryption?
It depends, but for the most part no. This type of encryption can only be used when the company doesn’t need to process your data. To illustrate the difference, let’s use two products at the top of their field.
1Password is a secure password manager that uses zero-knowledge encryption. This way, it doesn’t have any logs of your passwords or data that you store within the app. If the company gets hacked, there’s no way your passwords can be seen.
ExpressVPN is a great VPN, but it doesn’t use ZKE. That doesn’t make it less safe though, because it employs something called a no-logs policy. This type of policy restricts companies from logging your data. Whenever you close the VPN, any data that it’s storing on its RAM-only servers is deleted, functionally doing the same thing without interrupting the VPN services.
Can I have my data stolen if I’m using zero-knowledge encryption?
Yes, data theft can still occur, even using ZKE. While this form of encryption prevents the company from keeping a decryption key, it doesn’t keep you safe from all online threats. You’re still vulnerable to phishing scams, data-stealing malware, and having a weak password.
I highly encourage you to use a comprehensive antivirus suite to account for these other threats. Even if ZKE keeps you safe from man-in-the-middle attacks and from businesses misusing data, you still need an antivirus to keep you safe from everything else.