Can someone explain logically how "Zero Knowledge Encryption" works in the cloud storage providers (e.g. pCloud, Icedrive, Sync). This seems to be latest buzz phrase in cloud storage. The following link I found: https://cloudstorageinfo.org/zero-knowledge-encryption-explained provides some explanation but is short on details. I know enough about encryption to know that encryption keys are very large prime numbers (400 characters perhaps). It seems to me that to have true zero knowledge, the cloud provider cannot store the encryption keys in addition to the encrypted blob, otherwise the data can potentially be exposed via a data breech. The question is how are the encryption keys generated, where are they stored, and what role in the encryption process does your master password play if any? If the master password is used only for authentication (i.e. to determine if you are the owner of the data), then where do the encryption keys come from? Or, is the master password somehow a seed to some hashing program that generates the 400 digit encryption keys on the fly? I found the following quote in the link above about Sync: "Sync uses a Zero Knowledge platform which guarantees your privacy by encrypting and decrypting your data client-side. Moreover, the encryption keys that are used to encrypt your files aren’t in the hands of Sync, but only you. Even the password to your account is unknown to them." This says the encryption keys are in the user's hands only (but how?) and that the master password is unknown to the company. Oddly enough, I could not find the words "zero knowledge" on the Sync website. Can anyone with intimate knowledge of encryption and cloud storage explain this? Thanks. I also found this quote on the FidSafe (Fidelity) site, which suggests to me that FidSafe does NOT employ zero knowledge technology: "The encryption keys that unscramble your data are generated, stored, and protected by FidSafe." I'm trying to navigate the quagmire of cloud storage and find it difficult to find out enough to be confident that it really is safe to use.
My example would be with my password mgr. I use Bitwarden and it is zero knowledge. Zero knowledge happens when a sophisticated encryption algo is used on YOUR machine so that the data being moved to and from the cloud storage is already FULLY encrypted before it leaves your machines. If you log into the Bitwarden website you can read in clear language how this is accomplished. Since the encrypted "glob" of cloud data can only be opened by the person with the needed password credentials it becomes zero knowledge to the cloud companies holding the data. I even use zero knowledge on my private email accounts as well. TRUST is important. Open source examination along with reputation of the cloud service are mingled in a user's mind. e.g. if Facebook claims they give zero knowledge service I wouldn't believe it. LOL!!
Thanks so much for your reply! Digging around on the Bitwarden site, I found this: https://bitwarden.com/crypto.html Which is exactly what I was looking for. It appears that the encryption keys are generated on the fly using a combination of three things: (1) user email + (2) user master password + (3) number of PBKDR2-SHA256 hash iterations (which I assume is fixed by Bitwarden and not under user control). If all of this is true, it now makes perfect sense how one can access the account from multiple devices. Nothing is actually stored on your device (it seems to me). Not sure I have this 100% correct, but it at least makes sense, except how you can give others access w/o giving up your master password. I also understand your comment about TRUST. It can only be zero knowledge if there truly is no back door that allows the company (or partners) to unlock the encrypted blob.
You can't. That subject is handled in the forums there for estate planning. Zero Knowledge cannot be beaten, but they allow you to handle this in a structured way. You can also set up family accounts with an Admin, but this is not really what we are discussing here ----- Zero K.
This 1Password support page refers to some documents that might be interesting to learn more on how they do this: https://support.1password.com/secure-remote-password/
