Zero-Knowledge Cloud Storage: Far From Perfect

You may get an extra layer of protection with zero-knowledge cloud encryption, but the cloud security system isn't fail-safe.

Network Computing logo

Edward Snowden is probably the most well-known advocate for  zero-knowledge cloud storage services. And while zero-knowledge services generally are a step up from cloud services that either aren't  encrypted at all or that use shared-key encryption methods, it’s far from perfect.

Zero-knowledge offers customers an extra layer of protection from the prying eyes of cloud service providers, nosy governments and hacking syndicates. But it’s important to note that it’s not the pinnacle of cloud security that some make it out to be. So if you are serious about encryption in the cloud, you may want to consider your options.

Shared-key encryption

First, let’s take a minute to understand the different cloud encryption types out there so we can properly compare and contrast. The most common system used by cloud service providers is standard shared-key encryption that’s performed in the cloud. Popular services like Dropbox, Google Drive and Microsoft OneDrive use shared-key encryption.

The problem with this type of encryption, however, is that the service provider must know the encryption key in order to encrypt/decrypt data in the cloud. So if the provider wanted to access your files without your knowledge, you would never know.  

Considering how willing many service providers are to hand over your information to government entities like the NSA, it’s no wonder whistleblowers like Snowden are telling people to stay away from these types of cloud encryption services.


The next step up from standard in-cloud encryption is known as personal or zero-knowledge. With this method, customers use encryption software owned and operated by their cloud service provider to encrypt files locally before sending them to the cloud to be stored.

By encrypting the data beforehand, the cloud service provider doesn’t have access to your encryption key. So if anyone attempted to access files in a zero-knowledge cloud, he or she could access the files, but would have no way to decrypt them.

On the surface, zero-knowledge encryption seems like the ideal solution, but if you look more closely, there are some flaws. First of all, you have to  trust that your service provider’s encryption software  is indeed encrypting all files prior to going into the cloud. Knowing what we know about NSA programs such as PRISM, many of us  simply have lost faith that there aren’t back doors built into most popular commercial software and cloud services these days.

Second, even if your provider is legitimately protecting your data from prying eyes, the encryption system becomes one giant target to criminals and government entities that want to break in. If they figure out how to break into one zero-knowledge cloud provider customer account, they can likely do the same for all other customers.

Lastly, since the provider has no knowledge of your encryption key, it cannot assist in restoring your data until you provide the key. So if your encryption key is lost, your data is forever lost.

Manual encryption

If you’re truly concerned about cloud security in terms of encryption, your best bet is to encrypt files manually prior to uploading them to the cloud. Using this method, the trust factor is completely removed from any third-party entities. Now all you have to trust is the encryption software itself, and you completely remove any behind-the-scenes agreements between governments and service providers.

You'll still have to deal with the issue of being the single source for encryption key storage. But if you are concerned enough about securing data, this is a small price to pay. You should also note that the data will have to be pulled back out of the cloud and then decrypted prior to using it. In contrast, with zero-knowledge systems, data can be decrypted while pulling it back out of the cloud, which is more efficient. But if you are only storing data for backup purposes, this is a moot point for most.

Zero-knowledge cloud storage services do serve a purpose, but they’re far from perfect. One must weigh the benefits of slightly better control of encrypted data vs. complicating access and management of cloud data as a whole. And it’s also important to note that manual encryption prior to transferring data into the cloud is a far superior method if protecting data is of utmost importance.

In the end, all things IT security related involve figuring out the right balance of protection vs. usability. And in this case, zero-knowledge encryption should be considered a decent, but far from perfect option. Just because Edward Snowden promotes it, doesn’t mean it’s the most secure solution out there. If you really want something to remain absolutely private, keep it out of the cloud and off the Internet altogether.

About the Author(s)

Andrew Froehlich, President, West Gate Networks

President, West Gate Networks

As a highly experienced network architect and trusted IT consultant with worldwide contacts, particularly in the United States and Southeast Asia, Andrew Froehlich has nearly two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Froehlich has participated in the design and maintenance of networks for State Farm Insurance, United Airlines, Chicago-area schools and the University of Chicago Medical Center. He is the founder and president of Loveland, Colo.-based West Gate Networks, which specializes in enterprise network architectures and data center build outs. The author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT related websites and trade journals with insights into rapidly changing developments in the IT industry.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights