MAIN MENU
Definition

Zero-knowledge encryption

Zero-knowledge encryption is an approach in which the service provider never has access to your unencrypted data — only you hold the key. The server stores encrypted data and nothing more. Learn how it works, how it differs from standard encryption, and why it matters for password managers.

DT Devolutions Team · July 7, 2026 · 2 min read

What is zero-knowledge encryption?

Zero-knowledge encryption is a model in which the service provider never has access to the user's unencrypted data. Data is encrypted on the user's side before it reaches the provider's servers, and the encryption key never leaves the user's control. The server stores only encrypted data and, at no point, holds the key or the plaintext — so only the user can decrypt their own data.

How does zero-knowledge encryption work?

The defining property is where encryption and decryption happen:

  • Client-side encryption — data is encrypted on the user's device before upload.
  • The key stays with the user — derived from a secret the provider never receives.
  • The server stores ciphertext only — it can hold and sync data it cannot read.
  • Only the user decrypts — plaintext exists only on the user's side.

Zero-knowledge encryption vs. standard encryption

With standard server-side encryption, the provider encrypts data but also holds the keys, which means it can technically read the data — and so can an attacker who compromises the provider. With zero-knowledge encryption, the provider never holds the key, so it cannot read the data and neither can anyone who breaches its servers. The trade-off is that if the user loses their key or master secret, the data generally cannot be recovered.

Why does zero-knowledge encryption matter for password managers?

A password manager holds an organization's most sensitive secrets, so the question of who could read them matters enormously. Zero-knowledge encryption means that even the password manager's provider cannot see stored credentials, and a breach of the provider yields only unreadable ciphertext. It is one of the strongest trust guarantees a password manager can offer.

Frequently asked questions

What is zero-knowledge encryption?

Zero-knowledge encryption is an encryption model in which the service provider never has access to the user's unencrypted data. Data is encrypted on the user's side, the key never leaves the user's control, and the server stores only encrypted data — so only the user can decrypt it.

How is zero-knowledge encryption different from standard encryption?

With standard server-side encryption the provider holds the keys and can technically read the data, so an attacker who compromises the provider could too. With zero-knowledge encryption the provider never holds the key, so it cannot read the data and neither can anyone who breaches its servers.

Why does zero-knowledge encryption matter for a password manager?

Because a password manager holds an organization's most sensitive secrets, zero-knowledge encryption ensures even the provider cannot read them, and a breach of the provider yields only unreadable ciphertext. It is one of the strongest trust guarantees a password manager can offer.

Security you don't have to take on trust

Protect credentials with a password manager built on strong encryption.

Explore Devolutions Password Manager

Related terms

Password manager

An application for vaulting, managing, and sharing credentials securely.

Read now

Password vault

A digital repository for securely storing credentials in encrypted form.

Read now

Secrets management

Securely storing, rotating, and auditing non-human credentials like API keys.

Read now