Within Databeamer we utilize End-to-End Encryption to ensure your data is secure
during transit and at rest. This is achieved via Client-Side Encryption, which
guarantees a Zero-Knowledge architecture where we never possess your keys. This
article briefly explains Zero-Knowledge Encryption and why it matters if you
value your data privacy.
In the digital age, "trust" is a tricky word. We trust our cloud providers with
our intellectual property, our financial records, and our personal identities.
Most vendors promise that your data is "secure" and "encrypted." But in the
cybersecurity world, the devil is in the definitions.
If a cloud provider holds the keys to your encrypted data, they (or anyone who
hacks them or any government that demand access through legal orders) can unlock
it.
This is where Zero-Knowledge Encryption changes the game. It is not actually a
feature; it is a concept that assumes the safest way to store a secret is to
ensure no one else knows it exists.
What is Zero-Knowledge Encryption?
To understand Zero-Knowledge, we first need to look at how most of the internet
works. When you use standard "secure" services (like Gmail, Slack or a standard
cloud storage), you rely on Encryption in Transit (TLS) and Encryption at Rest.
For an easier understanding you can compare it with this analogy:
- You hire an armored truck to take your money to a bank. The truck is bulletproof (TLS). Once at the bank, they put your money in a strong vault (Rest). However, the bank manager has a key to that vault. They can walk in, count your money, or hand it over to the police if asked.
Zero-Knowledge Encryption works differently. The analogy:
- You buy a personal safe. You lock your valuables inside and keep the only key in your pocket. You then put that locked safe into the armored truck. The bank stores your safe, but they have absolutely no way to open it.
In technical terms, this is achieved via Client-Side Encryption. Your data is
turned into unreadable code (ciphertext) on your device before it ever touches
the internet. The service provider receives the data, but never receives the
decryption keys. They verify your data exists (Zero-Knowledge Proof), but they
know "zero" about what the data actually is.
The journey: End-to-End Encryption (E2EE)
You will often hear "Zero-Knowledge" and "End-to-End Encryption" used together.
While Zero-Knowledge describes the lack of access to the encryption keys and
data (as made possible by the architecture), E2EE describes the journey of your
data. End-to-End Encryption guarantees that your information remains locked from
the moment it leaves the sender’s device until it reaches the final recipient’s
device. It travels through the internet and services in a sealed, unreadable
state, ensuring that no intermediary can intercept or modify the content.
How does this differ from other methods?
TLS (Transport Layer Security)
Protects data only while it travels through cables. Once it arrives at the
server, it is often decrypted for processing.Non-E2E (End-to-End) Storage
Services like Google Drive or Dropbox encrypt your files, but they manage the
keys. This allows them to scan your photos for content or index your documents
for search features.PGP (Pretty Good Privacy)
The "grandfather" of Zero-Knowledge. It is effective but notoriously difficult
to use. Modern Zero-Knowledge tools aim to offer PGP-level security with a
user-friendly interface.S/MIME (Corporate Email Encryption)
Many companies use the standard "Encrypt" button in Outlook (S/MIME). While this
encrypts the message during transit, it relies on a centralized certificate
authority managed by your IT department.Manual Password Protection (Office/PDFs)
This "DIY" approach often provides a false sense of security. Not only do older
file formats use weak encryption that is easily cracked, but the "Key Exchange"
is usually the weak link: users frequently email the password in a follow-up
message. Zero-Knowledge tools remove this human error by handling the secure
exchange automatically.BYOK (Bring Your Own Key)
Many major cloud platforms offer "Bring Your Own Key" as a premium security
feature. This sounds like Zero-Knowledge, but it often isn’t. In most BYOK
scenarios, you hold the key, but you must temporarily give it to the cloud
provider so their servers can process/index the data. For that split second of
processing, the data is visible to them. True Zero-Knowledge means the provider
never touches the key, not even for a millisecond.
The "other" data: what is actually visible?
A common misconception is that everything is invisible in a Zero-Knowledge
system. That is rarely true, and honest vendors should explain why. Think about
these common categories of data used within an online service:
Content (Invisible)
Your files, messages, and specific form inputs are encrypted. The vendor sees
nothing but random noise.Metadata (Visible)
To route a file from A to B, the system needs to know who A and B are. Metadata
(sender, recipient, timestamp, file size) is usually visible to the server to
make the system function.Audit Trails & Activity Logs (Visible & Necessary)
While the contents of your files remain a mystery to us, the actions taken on
them are rigorously logged. For business clients, total invisibility is actually
a liability. To meet strict compliance standards (such as ISO 27001) and allow
administrators to monitor security, maintaining a detailed audit trail is a
must.General User & Business Information (Visible)
Even the most private platforms need basic administrative data to function as a
business. This typically includes your username, email address, company name,
and billing information.Authentication & security credentials
Secure services never store your actual password, only a cryptographic "hash" to
verify your login. In Zero-Knowledge systems, however, your password has a
second critical job: it generates the encryption key that unlocks your data
locally. Since the provider only holds the login hash (and not the encryption
key) they cannot reset your keys without causing content loss. They also retain
necessary 2FA details (like phone numbers or OTP keys) to secure your account
access.
Why should you care? The risks of "standard" Encryption
Why go through the trouble? Because "standard" encryption relies on blind faith
and if you really care about privacy, then you should care. Some common risks:
The AI Risk
Many large tech companies scan user data to train AI models or for advertising
profiling. Zero-Knowledge prevents your proprietary data from becoming part of a
public AI dataset.Data Breaches
If a standard cloud provider is hacked, the attackers often steal the database
and the keys. If a Zero-Knowledge provider is hacked, the attackers steal...
meaningless, jumbled code. This makes identity theft via server breaches nearly
impossible regarding the stored content.Government Overreach
If a government agency demands access to your data, a standard provider must
comply. A Zero-Knowledge provider can honestly say: "We can give you the
encrypted files, but we are mathematically incapable of unlocking them.""Privacy Washing"
Many vendors slap a "Bank-Grade Security" badge on their site while retaining
full access to your files. Unless they explicitly state they have no access to
your keys, you should assume they can read your data.The "Tech Stack" & The CLOUD Act
Location is not enough for compliance. Many European vendors claim data
sovereignty simply because their servers are physically located in Amsterdam or
Frankfurt. However, if their underlying tech stack relies on US infrastructure
(like AWS, Azure or US-based analytics tools), your data is likely subject to
the US CLOUD Act. This allows American authorities to demand data from US
companies regardless of where that data is stored globally.
Example case: the "Fake encryption" & sovereignty trap
Not all promises of End-to-End Encryption are created equal. There is a notable
example of a European secure messaging provider that marketed itself for years
as fully E2E encrypted. However, investigations revealed a critical
architectural flaw: messages were sent to their servers in plain text before
being encrypted by the server.
While the vendor claimed they never looked at the
data, they possessed the technical ability to do so. The gravity of this flaw
became clear when the company was acquired by an American firm. Suddenly,
European data was potentially subject to the US CLOUD Act.
Next to this, the owners of this firm were linked to the Israeli government.
This also raised alarms about foreign cyber-intelligence influence. Since the
system lacks true Zero-Knowledge encryption, your data isn't secured by
cryptography; it is only secured by the company's promise. In the end, it all
comes down to whether you trust them not to peek at your files
Zero-knowledge E2E Encryption and the EU Chat Control
There is an active debate in the European Union regarding the "Chat Control"
regulation (CSAM scanning). Since governments cannot mathematically crack
End-to-End Encryption from the outside, proposals often suggest Client-Side
Scanning.
This would legally force providers to build a "scanner" into the app that checks
your files on your device before they are encrypted. While the goal is to detect
illegal content, this effectively turns your own device into a surveillance
tool. It creates a "backdoor" before the data even leaves your hand. A true
Zero-Knowledge philosophy resists this, arguing that once you build a mechanism
to bypass encryption for one purpose, the infrastructure exists to scan for
anything (political dissent, trade secrets, etc.).
While an adapted version of the act has been agreed upon, it is not yet final
law. EU member states must still negotiate the specific text and cast a
concluding vote. Until a definitive version is ratified, our position remains
unchanged: we do not implement client-side scanning and will await the final
legal outcome
Please also read our blog ‘our position on privacy’
The Trade-off: Limitations of Zero-Knowledge
Security always comes at the cost of convenience. Because the server cannot read
your data, you will lose certain features:
No Full-Text Search
You cannot type a keyword into a search bar and expect the server to find it
inside a document, because the server can't read the document. (Smart
client-side indexing is solving this, but it's harder).No AI Processing
The server cannot automatically tag faces in photos or summarize meetings,
because it sees only noise.Loss of historical data (the "Mnemonic" Rule
In a standard app, clicking "forgot password" is convenient because the company
simply resets access to their own master key. In a Zero-Knowledge system, your
password is usually essential to deriving your unique encryption key. If you
lose your password, access to the historic encrypted data cannot be restored.
Advanced Zero-Knowledge systems, like Databeamer, often separate your login
password from your encryption keys (protected by a unique 12-word mnemonic). If
you lose this mnemonic, the provider cannot recover it for you.
How do you know the encryption is good?
Since you can't see encryption working, how do you verify if the encryption in
the service you use is any good?
1. Open Source / source available
Can independent experts inspect the code?2. Third-Party audits
Has a reputable security firm pen-tested the architecture?3. The "Forgot Password" test
If a service can reset your account or keys without you losing content data,
they likely don't have a true Zero-Knowledge architecture.
The Future: Post-Quantum Cryptography
We are approaching an era where Quantum Computers may be able to break current
encryption standards (like RSA). Forward-thinking security providers are already
looking at Post-Quantum Cryptography. New mathematical algorithms (usually
lattice-based) that even quantum computers cannot solve. When choosing a vendor,
ask them about their crypto-agility and plans for the quantum future.
How we approach Zero-Knowledge
At Databeamer, we believe that your data belongs to you, and only you. We have
built our architecture around the principle that we should be the courier, not
the inspector.
We don't ask you to trust us with your data. We built a system where you don't
have to.
Read how our encryption exactly works in our technical blog post