EncryptedNote LogoEncryptedNote
|
Get Started

What Is Zero-Knowledge Encryption?

Zero-knowledge encryption means the service provider has mathematically zero ability to read your data — even if they wanted to, even if compelled by law, even if breached.

The Problem With Trusting Servers

Traditional cloud services encrypt your data "at rest" — but they hold the encryption keys. When you upload a file, they can decrypt it. Their employees can access it. A court order can compel disclosure. A breach can expose everything.

Zero-knowledge changes the architecture so the server never has the key. What can't be read, can't be leaked.

How Zero-Knowledge Works in EncryptedNote

Encryption happens in your browser

Using the Web Crypto API and XChaCha20-Poly1305, your secret is encrypted before it leaves your device. The plaintext never touches our servers.

The decryption key stays in the URL fragment

The key is embedded in the #fragment part of the share URL. Browsers never send the fragment to servers — it's a client-only concept. Our server receives the URL but never sees the key.

Server stores only ciphertext

We store encrypted blobs with no associated keys. Even with full database access, there's nothing to decrypt. This is zero-knowledge by cryptographic design, not just policy.

XChaCha20-Poly1305: The Encryption Algorithm

EncryptedNote uses XChaCha20-Poly1305, a modern authenticated encryption algorithm that provides:

  • Confidentiality: Only the holder of the key can decrypt
  • Integrity: Any tampering with the ciphertext is detected
  • Extended nonce: 192-bit nonce eliminates nonce-reuse risks
  • Performance: Fast on all devices, including mobile, without hardware acceleration

This algorithm is used by Signal, WireGuard, and other security-critical applications globally.

Zero-Knowledge vs. End-to-End Encryption

These terms are related but not identical:

  • End-to-end encryption (E2EE) means data is encrypted from sender to recipient — no intermediary can read it in transit.
  • Zero-knowledge means the service provider has no cryptographic access to your data — not in transit, not at rest, not ever.

EncryptedNote implements both. Your secret is E2EE during transmission and zero-knowledge at rest — the server holds ciphertext with no associated keys.

Try Zero-Knowledge Sharing Now

Share a secret with cryptographic proof we can't read it. Free, instant, no account.