What is Zero-Knowledge Encryption?
Encryption where the service provider cannot read your data — ever.
Definition
Zero-knowledge encryption is a security model in which a service provider stores and transmits data in encrypted form, but never has access to the decryption key. The user's key is derived from a password known only to them — it is never sent to the server. This means the provider literally cannot read your data, even if compelled by a court order or hacked.
How It Works
The term 'zero-knowledge' refers to the provider's knowledge of your plaintext content: it is zero. This is distinct from standard encryption, where the provider holds the key and can decrypt data on demand. Zero-knowledge encryption is the gold standard for sensitive data like passwords, seed phrases, and private keys. AES-256-GCM is the most common algorithm used at this level — the same standard used by banks and governments.
How VaultPass Uses This
VaultPass encrypts your vault contents in your browser before anything is sent to our servers, using a random AES-256-GCM key that is then split via Shamir's Secret Sharing. We store only the encrypted ciphertext and encrypted key shards. A database breach alone yields scrambled data, not plaintext.
Common Questions
What is the difference between zero-knowledge encryption and end-to-end encryption?
End-to-end encryption (E2EE) typically refers to communication — messages encrypted so only sender and recipient can read them. Zero-knowledge encryption refers to storage — data encrypted so even the storage provider cannot read it. VaultPass uses both concepts: your vault is zero-knowledge encrypted at rest.
Can zero-knowledge encryption be hacked?
The encryption itself — AES-256-GCM — is considered mathematically unbreakable with current technology. The risk is at the key: a weak or compromised master password. Use a strong, unique master password and store it safely.