3

Cloud based storage services like Dropbox and Google Drive are a cause for concern when it comes to privacy. They store encryption keys for your files on their servers. Therefore, anyone who manage to get access to their servers, whether it be a hacker or employee, will be able to get your keys and by extension your files.

On the other hand, services like BoxCryptor or Viivo offer a layer of end-to-end security ontop of Dropbox or Google Drive, while services like SpiderOak or Sync offer this security built in.

However, these services are seamless. That is, all you have to do is download, install, login, and they immediately start working. There is no key given to you to memorize or download. Yet they say that you own the key and the keys are not stored on their servers.

How is it possible that both the keys are not stored on their servers (Zero-knowledge), and you do not have to keep/memorize the keys yourself (seamless)?

Zsw
  • 757
  • 1
  • 5
  • 10
  • Related discussion for anyone interested: https://security.stackexchange.com/q/66323/20935 – blong May 18 '20 at 15:09

2 Answers2

4

The service can create a random encryption key on the client and then encrypt that key with your password, the service will never have access to your plain-text password.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
3

With regard to SpiderOak: it seems that the keys are generated by the client application during installation, after you choose a password, by inputting the password into a derivation function. See Zero Knowledge Explained (2nd paragraph).

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • The link to “Zero Knowledge Explained" is outdated. Now they have announced "Why We Will No Longer Use the Phrase Zero Knowledge to Describe Our Software". – minghua Mar 07 '18 at 06:24