# Zero-Knowledge Encryption Explained

Zero-knowledge encryption means the service provider has zero knowledge of your data. Files are encrypted on your device with keys only you control — DragBin servers store ciphertext and nothing else.

## What is zero-knowledge encryption?

Unlike traditional cloud storage where the provider can access or recover your data, zero-knowledge systems eliminate that possibility entirely. The provider's role is limited to storing and serving encrypted bytes. Even in a server breach, attackers find only unreadable ciphertext.

## How it works

1. **Client-side encryption** — files are encrypted on your device using AES-256 before upload. Plaintext never leaves your device.
2. **User-controlled keys** — encryption keys are generated locally and derived from your credentials. The server never sees them.
3. **Secure transmission** — only ciphertext travels over the network, protected further by TLS.
4. **Decryption on access** — when you (or a recipient you share with) access a file, decryption happens locally with your key.

## Zero-knowledge vs. end-to-end encryption

| Property | End-to-end | Zero-knowledge |
| --- | --- | --- |
| Provider visibility | Cannot see data in transit; may access at rest | Cannot see data at any stage |
| Key control | May be managed or recoverable by provider | Generated and stored only on user's device |
| Primary use case | Secure messaging | Secure storage and file sync |

## Benefits

- **Absolute privacy** — only you hold the keys; the provider cannot read your data.
- **Breach protection** — server compromise yields only encrypted blobs.
- **Zero-trust dependency** — privacy is enforced by math, not provider policy.
- **Data ownership** — your files stay yours, not the platform's.

## Related

- [Post-quantum encryption](/post-quantum-encryption)
- [Security architecture](/security)
- [Philosophy](/philosophy)
- [Pricing](/pricing)