ProtonBlog(new window)
What is Zero-access encryption

What is zero-access encryption and why is it important for security?

Compartir esta página

Most of us would not give our private, personal information to strangers and then trust them not to leak it. But that’s essentially what we do every time we store chat histories, email, documents, and pictures on the cloud. When you save a document to Google Drive, a photo album to iCloud, or an intimate conversation to Facebook Messenger, you are trusting that this information will not be breached or misused.

There are ways, however, to encrypt your data so that only you can access it, and zero-access encryption is one of these methods. Zero-access encryption is a way of protecting data at rest — that is, while the information is sitting in storage on the cloud. With this type of encryption, even if hackers were to breach the provider’s servers and steal your files, they would not be able to decrypt the data. Zero-access encryption ensures that only you, the data owner, have the technical ability to read your data.

How does zero-access encryption work?

Zero-access encryption is just what it sounds like: a type of encryption(new window) for data at rest that renders digital files inaccessible to the service provider. The files can only be decrypted using the user’s private encryption key. Because the server does not have access to the user’s private encryption key, once the files are encrypted with the user’s public encryption key they are no longer accessible to the server or the server’s owner. When the data owner wants to view their data, they request the encrypted files from the server and decrypt them locally on their device, not on the server.

How is zero-access encryption different from end-to-end encryption?

At Proton Mail, we use both zero-access encryption and end-to-end encryption(new window) to protect your data. To understand the difference, consider two scenarios:

1. Someone using a Gmail account sends an email to a Proton Mail account. When it arrives at Proton Mail, our servers can read that email because Gmail does not support end-to-end encryption. However, after receiving the email, we encrypt it immediately using the Proton Mail account owner’s public encryption key. Afterwards, we are no longer able to decrypt the message. In fact, the encrypted email can now only be decrypted by the Proton Mail account owner.

2. Someone using a Proton Mail account sends an email to another Proton Mail email address. The email is encrypted on the sender’s device using the public encryption key of the recipient before being transferred to the Proton Mail server and to the recipient. Thus, the message is already encrypted before it reaches our server, and only the sender and the recipient have the ability to decrypt the email. This is end-to-end encryption.

As you can see from these examples, end-to-end encryption is the stronger of these two types of encryption because Proton Mail never sees the unencrypted message. Zero-access encryption does prevent the messages in your mailbox from being shared with third parties or leaked in the event of a data breach, but those messages are accessible to Proton Mail servers for a split second before the message is encrypted. For these reasons, we generally recommend that for highly sensitive conversations, both parties use Proton Mail to take advantage of the stronger end-to-end encryption.

Zero-access encryption solves big security problems

Most companies do not implement zero-access encryption either because they sell your private information to advertisers (Google, Facebook, etc.) or because the technical challenges of implementing it are too great.

Instead, they might use regular encryption where they retain control over the encryption keys. This is like storing the key to the lock with the lock itself and creates many vulnerabilities. For example, if servers are ever hacked, your private conversations can be leaked (like in the Yahoo! breach(new window) of all 3 billion of its accounts).

Furthermore, this approach also leaves data open for misuse, either by rogue employees or unscrupulous third parties, such as in the Cambridge Analytica/Facebook scandal(new window). This data can also be made accessible to government surveillance agencies or sold outright to advertisers.

We drastically reduce these security and privacy vulnerabilities by using zero-access encryption to ensure that we ourselves do not have access to your data. That way, even if somehow Proton Mail servers are breached, the contents of users’ private emails will still be encrypted. Both zero-access encryption and end-to-end encryption are essential to ensure good protection against data breaches and privacy violations in the digital age, and for this reason, they are highly recommended by experts(new window) and important for complying with data protection laws such as the GDPR law.

Proteja su privacidad con Proton
Crear una cuenta gratuita

Compartir esta página

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Artículos relacionados

en
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
en
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
en
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
en
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail
what is a digital footprint
en
What you do online isn’t private. Everything you do leaves behind some kind of mark. This trail is often referred to as a digital footprint, and it’s used to track you in many different ways. In this article, we go over what a digital footprint is, h
en
In February 2024, media reported that Indian authorities may decide to block Proton Mail. Proton Mail is still available in India despite any reports suggesting otherwise.  In response to hoax bomb threats that were sent through Proton Mail, some me