Within Databeamer we utilize End-to-End Encryption to ensure your data is secure during transit and at rest. This is achieved via Client-Side Encryption, which guarantees a Zero-Knowledge architecture where we never possess your keys. This article briefly explains Zero-Knowledge Encryption and why it matters if you value your data privacy.
In the digital age, “trust” is a tricky word. We trust our cloud providers with our intellectual property, our financial records, and our personal identities. Most vendors promise that your data is “secure” and “encrypted.” But in the cybersecurity world, the devil is in the definitions.
If a cloud provider holds the keys to your encrypted data, they (or anyone who hacks them or any government that demand access through legal orders) can unlock it.
This is where Zero-Knowledge Encryption changes the game. It is not actually a feature; it is a concept that assumes the safest way to store a secret is to ensure no one else knows it exists.
What is Zero-Knowledge Encryption?
To understand Zero-Knowledge, we first need to look at how most of the internet works. When you use standard “secure” services (like Gmail, Slack or a standard cloud storage), you rely on Encryption in Transit (TLS) and Encryption at Rest.
For an easier understanding you can compare it with this analogy:
- You hire an armored truck to take your money to a bank. The truck is bulletproof (TLS). Once at the bank, they put your money in a strong vault (Rest). However, the bank manager has a key to that vault. They can walk in, count your money, or hand it over to the police if asked.
Zero-Knowledge Encryption works differently. The analogy:
- You buy a personal safe. You lock your valuables inside and keep the only key in your pocket. You then put that locked safe into the armored truck. The bank stores your safe, but they have absolutely no way to open it.
In technical terms, this is achieved via Client-Side Encryption. Your data is turned into unreadable code (ciphertext) on your device before it ever touches the internet. The service provider receives the data, but never receives the decryption keys. They verify your data exists (Zero-Knowledge Proof), but they know “zero” about what the data actually is.
The journey: End-to-End Encryption (E2EE)
You will often hear “Zero-Knowledge” and “End-to-End Encryption” used together. While Zero-Knowledge describes the lack of access to the encryption keys and data (as made possible by the architecture), E2EE describes the journey of your data. End-to-End Encryption guarantees that your information remains locked from the moment it leaves the sender’s device until it reaches the final recipient’s device. It travels through the internet and services in a sealed, unreadable state, ensuring that no intermediary can intercept or modify the content.
How does this differ from other methods?
TLS (Transport Layer Security) Protects data only while it travels through cables. Once it arrives at the server, it is often decrypted for processing.
Non-E2E (End-to-End) Storage Services like Google Drive or Dropbox encrypt your files, but they manage the keys. This allows them to scan your photos for content or index your documents for search features.
PGP (Pretty Good Privacy) The “grandfather” of Zero-Knowledge. It is effective but notoriously difficult to use. Modern Zero-Knowledge tools aim to offer PGP-level security with a user-friendly interface.
S/MIME (Corporate Email Encryption) Many companies use the standard “Encrypt” button in Outlook (S/MIME). While this encrypts the message during transit, it relies on a centralized certificate authority managed by your IT department.
Manual Password Protection (Office/PDFs) This “DIY” approach often provides a false sense of security. Not only do older file formats use weak encryption that is easily cracked, but the “Key Exchange” is usually the weak link: users frequently email the password in a follow-up message. Zero-Knowledge tools remove this human error by handling the secure exchange automatically.
BYOK (Bring Your Own Key) Many major cloud platforms offer “Bring Your Own Key” as a premium security feature. This sounds like Zero-Knowledge, but it often isn’t. In most BYOK scenarios, you hold the key, but you must temporarily give it to the cloud provider so their servers can process/index the data. For that split second of processing, the data is visible to them. True Zero-Knowledge means the provider never touches the key, not even for a millisecond.
The “other” data: what is actually visible?
A common misconception is that everything is invisible in a Zero-Knowledge system. That is rarely true, and honest vendors should explain why. Think about these common categories of data used within an online service:
Content (Invisible) Your files, messages, and specific form inputs are encrypted. The vendor sees nothing but random noise.
Metadata (Visible) To route a file from A to B, the system needs to know who A and B are. Metadata (sender, recipient, timestamp, file size) is usually visible to the server to make the system function.
Audit Trails & Activity Logs (Visible & Necessary) While the contents of your files remain a mystery to us, the actions taken on them are rigorously logged. For business clients, total invisibility is actually a liability. To meet strict compliance standards (such as ISO 27001) and allow administrators to monitor security, maintaining a detailed audit trail is a must.
General User & Business Information (Visible) Even the most private platforms need basic administrative data to function as a business. This typically includes your username, email address, company name, and billing information.
Authentication & security credentials Secure services never store your actual password, only a cryptographic “hash” to verify your login. In Zero-Knowledge systems, however, your password has a second critical job: it generates the encryption key that unlocks your data locally. Since the provider only holds the login hash (and not the encryption key) they cannot reset your keys without causing content loss. They also retain necessary 2FA details (like phone numbers or OTP keys) to secure your account access.
Why should you care? The risks of “standard” Encryption
Why go through the trouble? Because “standard” encryption relies on blind faith and if you really care about privacy, then you should care. Some common risks:
The AI Risk Many large tech companies scan user data to train AI models or for advertising profiling. Zero-Knowledge prevents your proprietary data from becoming part of a public AI dataset.
Data Breaches If a standard cloud provider is hacked, the attackers often steal the database and the keys. If a Zero-Knowledge provider is hacked, the attackers steal… meaningless, jumbled code. This makes identity theft via server breaches nearly impossible regarding the stored content.
Government Overreach If a government agency demands access to your data, a standard provider must comply. A Zero-Knowledge provider can honestly say: “We can give you the encrypted files, but we are mathematically incapable of unlocking them.”
“Privacy Washing” Many vendors slap a “Bank-Grade Security” badge on their site while retaining full access to your files. Unless they explicitly state they have no access to your keys, you should assume they can read your data.
The “Tech Stack” & The CLOUD Act Location is not enough for compliance. Many European vendors claim data sovereignty simply because their servers are physically located in Amsterdam or Frankfurt. However, if their underlying tech stack relies on US infrastructure (like AWS, Azure or US-based analytics tools), your data is likely subject to the US CLOUD Act. This allows American authorities to demand data from US companies regardless of where that data is stored globally.
Example case: the “Fake encryption” & sovereignty trap
Not all promises of End-to-End Encryption are created equal. There is a notable example of a European secure messaging provider that marketed itself for years as fully E2E encrypted. However, investigations revealed a critical architectural flaw: messages were sent to their servers in plain text before being encrypted by the server. While the vendor claimed they never looked at the data, they possessed the technical ability to do so. The gravity of this flaw became clear when the company was acquired by an American firm. Suddenly, European data was potentially subject to the US CLOUD Act.
Next to this, the owners of this firm were linked to the Israeli government. This also raised alarms about foreign cyber-intelligence influence. Since the system lacks true Zero-Knowledge encryption, your data isn’t secured by cryptography; it is only secured by the company’s promise. In the end, it all comes down to whether you trust them not to peek at your files
Zero-knowledge E2E Encryption and the EU Chat Control
There is an active debate in the European Union regarding the “Chat Control” regulation (CSAM scanning). Since governments cannot mathematically crack End-to-End Encryption from the outside, proposals often suggest Client-Side Scanning.
This would legally force providers to build a “scanner” into the app that checks your files on your device before they are encrypted. While the goal is to detect illegal content, this effectively turns your own device into a surveillance tool. It creates a “backdoor” before the data even leaves your hand. A true Zero-Knowledge philosophy resists this, arguing that once you build a mechanism to bypass encryption for one purpose, the infrastructure exists to scan for anything (political dissent, trade secrets, etc.).
While an adapted version of the act has been agreed upon, it is not yet final law. EU member states must still negotiate the specific text and cast a concluding vote. Until a definitive version is ratified, our position remains unchanged: we do not implement client-side scanning and will await the final legal outcome
Please also read our blog ‘our position on privacy’
The Trade-off: Limitations of Zero-Knowledge
Security always comes at the cost of convenience. Because the server cannot read your data, you will lose certain features:
No Full-Text Search You cannot type a keyword into a search bar and expect the server to find it inside a document, because the server can’t read the document. (Smart client-side indexing is solving this, but it’s harder).
No AI Processing The server cannot automatically tag faces in photos or summarize meetings, because it sees only noise.
Loss of historical data (the “Mnemonic” Rule In a standard app, clicking “forgot password” is convenient because the company simply resets access to their own master key. In a Zero-Knowledge system, your password is usually essential to deriving your unique encryption key. If you lose your password, access to the historic encrypted data cannot be restored. Advanced Zero-Knowledge systems, like Databeamer, often separate your login password from your encryption keys (protected by a unique 12-word mnemonic). If you lose this mnemonic, the provider cannot recover it for you.
How do you know the encryption is good?
Since you can’t see encryption working, how do you verify if the encryption in the service you use is any good?
1. Open Source / source available Can independent experts inspect the code?
2. Third-Party audits Has a reputable security firm pen-tested the architecture?
3. The “Forgot Password” test If a service can reset your account or keys without you losing content data, they likely don’t have a true Zero-Knowledge architecture.
The Future: Post-Quantum Cryptography
We are approaching an era where Quantum Computers may be able to break current encryption standards (like RSA). Forward-thinking security providers are already looking at Post-Quantum Cryptography. New mathematical algorithms (usually lattice-based) that even quantum computers cannot solve. When choosing a vendor, ask them about their crypto-agility and plans for the quantum future.
How we approach Zero-Knowledge
At Databeamer, we believe that your data belongs to you, and only you. We have built our architecture around the principle that we should be the courier, not the inspector. We don’t ask you to trust us with your data. We built a system where you don’t have to.
Read how our encryption exactly works in our technical blog post