# How Does Client Side Encryption Really Work?

Your data is encrypted on your device before it is uploaded. You alone hold the encryption keys and no company, server or hacker can steal your data.

## Not All Cloud Storage Platforms Are Secure

In 2014, more than 500 nude photos of female celebrities were leaked by hackers after data was obtained from iCloud backups. Dropbox had a 2012 breach where 68 million user accounts were exposed. Both iCloud and Dropbox use server side encryption — the encryption keys are managed by the server, putting data at risk during a breach.

## What is Client Side Encryption?

Client side encryption is a security practice where data is encrypted on your device before it is sent to any external server. Only you hold the keys needed to access the data. The server stores scrambled, unreadable ciphertext that is useless without your private key.

## How Zero Knowledge Client Encryption Works

1. A unique encryption key is generated on your device by the client.
2. Your data is encrypted before leaving the device.
3. The encrypted data is transmitted to the server.
4. The server stores the data but cannot decrypt or read it.
5. Users with permission retrieve the data in encrypted form and decrypt it locally.

## Client Side vs Server Side Encryption

- **Control of Keys** — You fully control vs. provider controls.
- **Data Access** — Only you can decrypt vs. provider can access.
- **Security in Breaches** — Data unreadable if servers hacked vs. data exposed if keys compromised.
- **Trust Required** — Minimal vs. high trust in provider.
- **Privacy Level** — Maximum with zero knowledge vs. limited.

## What Encryption Does DragBin Use?

DragBin uses client side, quantum resistant encryption (ML-KEM + AES-256) to protect your data. Nobody can see your data, not even DragBin, because of metadata protection — files, passwords and filenames remain visible to you only.

- **Metadata Protection** — files, passwords and filenames invisible to all.
- **ML-KEM Keys** — quantum-resistant key encapsulation.
- **AES-256 Security** — 256-bit standard in transit and at rest.
- **Argon2 Key Derivation** — high computational cost from your password.

## Benefits

- **Full Control Over Data** — you hold the encryption keys.
- **Protection Against Breaches** — attackers only get encrypted data.
- **Real Privacy** — files encrypted before leaving your device.
- **Reduced Reliance** — no dependence on provider policies.

## Related

- [E2EE encryption](/e2ee-encryption)
- [Post-quantum encryption](/post-quantum-encryption)
- [Zero-knowledge encryption](/zero-knowledge-encryption)
- [Harvest now, decrypt later](/harvest-now-decrypt-later)
- [Security architecture](/security)