What is Client-Side Encryption?

Client-side encryption is the technical mechanism that enables zero-knowledge and end-to-end encrypted systems. By performing encryption before data leaves the user's device, the plaintext never traverses the network and never exists on the server. This protects against network interception, server breaches, and insider threats simultaneously.

In web applications, client-side encryption typically relies on the Web Crypto API, a browser-native interface for cryptographic operations. This is preferable to JavaScript cryptography libraries because the Web Crypto API runs compiled native code, is resistant to timing attacks, and benefits from hardware acceleration on modern devices.

The primary tradeoff of client-side encryption is that the server cannot process or search the encrypted data. Features like server-side search, content analysis, or data transformation become impossible because the server genuinely cannot read the data. For secret sharing, this tradeoff is ideal — the server needs only to store a blob and enforce access rules, not understand the content.

How Vaulted uses Client-Side Encryption

Every secret shared through Vaulted is encrypted client-side using the Web Crypto API before the browser makes any network request. The browser generates a random AES-256-GCM key, encrypts the plaintext, and sends only the resulting ciphertext and IV to the server. The encryption key is placed in the URL fragment, which the browser never includes in HTTP requests. This means the plaintext exists only in the sender's and recipient's browser memory — never on the wire, never on the server.