Log inWatch a demo
Try for free

Zero-knowledge encryption. Only you can access your data

With Tresorit, your files are encrypted on your device before they are uploaded to the cloud. The encryption keys remain exclusively in your control — they are never shared with Tresorit. As a result, not even Tresorit can access or read your content. This is what zero-knowledge encryption means in practice: your data remains unreadable to anyone but you and those you choose to share it with.

01_Zero-knowledge_encryption_HERO-new

Why zero-knowledge matters

Cloud services are widely used to store and share sensitive information. Most cloud providers encrypt data in transit and at rest as a standard security measure. However, in many cases, the service provider still retains technical access to the encryption keys, which means they can technically access customer data.

Encryption does not automatically mean zero-knowledge. Provider-side access can introduce privacy, security, and compliance risks, particularly for organizations handling confidential data.

Zero-knowledge encryption removes provider access by design. Encryption takes place before data leaves the user’s device, and the encryption keys remain exclusively under the user’s control. As a result, the service provider cannot read or access the stored or shared content.

02_Why_zero-knowledge_matters@2x

What zero-knowledge encryption means

Zero-knowledge encryption is a security model in which:

  • Encryption happens on the user’s device before data is uploaded.
  • The service provider never receives or stores the encryption keys.
  • Stored data remains unreadable to the provider at all times.

In this model, only the user controls the encryption keys. Because encryption occurs locally and the provider has no access to the keys, even the service provider itself cannot read the stored content.

No keys. No access.

03_Meaning

How Tresorit implements zero-knowledge

Tresorit applies zero-knowledge encryption consistently across its entire platform. Files are encrypted on the user’s device using client-side zero-knowledge encryption. Encryption keys are generated and managed locally and are never stored by Tresorit in a readable form. This prevents internal access and protects data throughout its lifecycle.

Unlike standard server-side encryption, where data is encrypted after upload and the provider manages the keys, Tresorit’s client-side approach ensures that only the user controls the encryption keys. This structural difference enables elevated, by-design data protection, with content remaining readable only to you.

04_How_Tresorit_implements

Zero-knowledge and collaboration

When files are shared in Tresorit, the zero-knowledge model remains intact. Encryption keys are securely exchanged only between authorized users. Servers and service operators cannot access readable content, and access for those you share it with can be revoked at any time. The same zero-knowledge security model applies during collaboration, ensuring data remains protected throughout. 

05_Collaboration

Zero-knowledge across the data lifecycle

Tresorit’s zero-knowledge encryption protects your data at every stage, from creation to deletion:

  • Upload: Files are encrypted locally on your device before they leave, ensuring that only you control the encryption keys.
  • Storage: Encrypted data is stored securely in the cloud. This ensures your information stays protected against breaches or unauthorized access. Tresorit cannot access readable content at any time. 
  • Sharing: Encryption keys are exchanged securely only with authorized users. Shared files remain unreadable to servers and the service provider.
  • Access revocation: You can revoke access at any time, immediately preventing previously authorized users from opening shared files.
  • Deletion: Files are permanently deleted in encrypted form, leaving no readable data behind.

This end-to-end coverage ensures that zero-knowledge protection is applied consistently throughout the entire lifecycle of your data.

06_Data_lifecycle

What this means to you

User-Individual

Individuals

Personal files remain private and fully under user control.
User-Enterprise

Teams & businesses

Sensitive data stays protected even when shared internally or externally.
Industires-Finance-office

Regulated environments

Zero-knowledge encryption reduces access risks and supports data protection requirements.

What zero-knowledge encryption does not mean

Zero-knowledge encryption refers specifically to encryption key ownership and provider access — it does not change other aspects of account or system management.

It does not mean:

  • Anonymous usage — you still need to authenticate to your account.
  • No authentication — secure login remains required.
  • No logging — system activity may still be tracked for operational purposes.
  • No account responsibility — users remain responsible for their actions and shared content.
  • Unlimited recovery options — lost keys or passwords may not be recoverable.

Zero-knowledge encryption only covers who controls the encryption keys and whether the provider can access data — it does not affect identity management, account policies, or system governance. 

07_Does_not_mean

FAQ

Zero-knowledge encryption is a security model in which only the user controls the encryption keys. Files are encrypted locally on the user’s device before upload, and the service provider never has access to the readable content. This ensures stored data remains unreadable to the provider at all times.
Standard cloud encryption typically encrypts data on the provider’s servers, and encryption keys may be managed by the provider. With zero-knowledge encryption, data is encrypted locally on the user’s device and encryption keys remain exclusively under the user's control. This prevents the provider from accessing the content, even internally.

No. Tresorit does not have access to encryption keys and cannot read user data. 

Encryption keys are generated and stored locally on the user’s device. Keys are never transmitted in readable form to Tresorit, and all cryptographic operations - including key generation, encryption, and decryption -
occur client-side.

You can recover your password only if:

  • you are still logged in to your Tresorit account on one of your devices, or
  • you are part of a Business subscription with Advanced Control enabled.

Read more about forgotten password here.

Yes. When users collaborate, encryption keys are securely exchanged only between authorized users, and shared files remain encrypted. Access can be revoked at any time, and the provider cannot read collaborative content.
Yes. Zero-knowledge encryption supports privacy and data-protection standards by preventing provider access to sensitive information. This aligns with regulatory requirements such as data minimization, access control, and confidentiality obligations required by the in GDPR, HIPAA, and other data-protection frameworks.
Zero-knowledge encryption is a form of end-to-end encryption that ensures only the user has access to the encryption keys, fully excluding the service provider from accessing or managing them. While most zero-knowledge systems are built on end-to-end encryption principles, not all end-to-end encryption implementations guarantee exclusive user control over encryption keys or complete provider exclusion.

Your data, your control.

Zero-knowledge encryption is a core design principle of Tresorit, embedded into the platform from the ground up.

By ensuring that only users control encryption keys, the system reduces the attack surface and limits potential exposure of sensitive data. This approach complements broader security and compliance measures, including security documentation and compliance resources.

Tresorit’s security practices are supported by industry-recognized certifications, which validate the implementation of encryption and data protection controls.