What is Zero-Knowledge Architecture?

In a zero-knowledge system, the server acts purely as encrypted storage. It receives data that has already been encrypted by the client and returns it on request, but it never possesses the keys needed to make sense of that data. This stands in contrast to most cloud services, where the provider holds encryption keys and could theoretically access user data — whether through a rogue employee, a government subpoena, or a security breach.

The term "zero-knowledge" in this context is distinct from zero-knowledge proofs in cryptography, though both share the principle of revealing nothing beyond what is strictly necessary. A zero-knowledge service knows that data exists and can enforce access controls like expiration or view limits, but it cannot determine what the data actually contains.

Zero-knowledge architecture shifts the trust model fundamentally. Instead of trusting the service operator to protect your data and behave honestly, you only need to trust the client-side code running in your browser. This is a significant security improvement because it eliminates an entire class of threats: server-side breaches, insider access, and compelled disclosure all become ineffective when the server genuinely cannot read what it stores.

How Vaulted uses Zero-Knowledge Architecture

Vaulted is built as a zero-knowledge system from the ground up. All encryption and decryption happen in your browser using the Web Crypto API. The server receives and stores only ciphertext, the initialization vector, and metadata like view count and expiration. The AES-256-GCM encryption key is embedded in the URL fragment, which browsers never send to servers per RFC 3986. Even if Vaulted's server or database were fully compromised, an attacker would obtain only encrypted blobs with no way to decrypt them.