Client-side encryption: why does Koofr offer a client-side encryption add-on?
Encryption is a hot topic in privacy-oriented cloud storage. Today, we’ll explain why Koofr offers a client-side encryption add-on rather than being a client-side encrypted cloud storage by default.
What is encryption?
In cryptography, encryption is a method that converts information into a coded format, making it secure and unintelligible to individuals without the appropriate decryption key. Encryption is handled by various mathematical algorithms. In the digital world, it transforms original data (text files, photos, videos, etc.) from a readable format (plaintext) into an unreadable format (ciphertext) using a selected algorithm and a key (password).
Only authorized individuals with the decryption key - a sequence of numbers or passwords generated by an algorithm - can decrypt the ciphertext and access the original content. The aim is to make the file content unintelligible to unauthorized individuals who may intercept it.
What is server-side encryption in cloud storage?
Server-side encryption is the process of encrypting data at the destination, meaning that when you upload unencrypted data to your cloud, the cloud storage provider encrypts it on their end. Server-side encryption ensures that your data remains encrypted even in the event of unauthorized access to the physical hardware. Data security with server-side encryption relies on the cloud storage provider – if someone were to hack into the provider, they could potentially access the decryption key and decrypt all your data. But don’t worry, the probability of that happening is really low.
What is client-side encryption, also known as zero-knowledge encryption in cloud storage?
On the other hand, client-side, also known as zero-knowledge encryption, encrypts your data before it leaves your device. It uses an encryption key that only you (not even the cloud storage provider) know. Therefore, your data is secure from the moment it leaves your device: the server cannot access the encrypted content, meaning neither your internet service provider nor your cloud storage provider can see what you've uploaded.
Client-side encryption and cloud storage services
Client-side encryption is one of the most desired features potential users seek in cloud storage services. Some cloud storage services automatically protect all your data with client-side encryption. If you use such a service, all data stored in your account is secured with client-side encryption.
On the contrary, certain cloud storage services don't offer client-side encryption by default but provide the so-called client-side encryption add-ons. This doesn't mean that they don't use any form of encryption or that your files aren’t safe with them – it simply means that their service doesn't come with client-side encryption as the default option. The client-side encryption add-on provides an additional layer of security for your files.
Why does Koofr offer cloud storage service with a client-side encryption add-on?
The crucial aspect of encryption lies in its verifiability. It's important that anyone can verify that no one can bypass encryption and gain access to encrypted files. We believe in transparency as the foundation of trust in a service. And since Koofr is not fully open-source, we have developed Koofr Vault: an open-source, client-side, zero-knowledge encryption add-on, allowing anyone to verify its functionality.
As we often said, Vault and its Safe boxes are generally just folders on Koofr. The only difference is that when using Koofr Vault, all the encryption and decryption is done inside your browser before data leaves your device. But don’t worry, your files are also very safe on Koofr even if you don't use client-side encryption.
Note: you can also use rclone to set up client-side encryption of your Koofr files.
Why did we opt for a client-side encryption add-on rather than having client-side encryption as the default for our cloud storage?
1. Forgotten password
First and foremost, with client-side encrypted cloud storage by default, all your encrypted files are protected with one password – your account password. If you forget your password, you lose access to your entire account, including all its content. Client-side encrypted services do not have access to your password or recovery key, meaning you cannot decrypt your files if you forget your account password.
Note: some client-side encrypted cloud storage services can reset your account password. However, in such cases, all files stored on your account will remain encrypted after the reset. This means you will have access to your account but won't be able to decrypt your previously stored files. If these services allowed resetting passwords and provided access to all your previously stored files, the purpose of client-side encryption would be compromised.
On the other hand, when you use cloud storage that offers an optional client-side encryption add-on, in our case, Koofr Vault, and if you happen to lose your Safe Box (i.e., vault) password, the consequence is limited to losing access to your Safe Box while retaining access to the rest of your Koofr account.
But if you forget your Koofr account password, you can easily reset it because Koofr itself is not client-side encrypted by default. However, resetting your Safe Key (the password for Koofr Vault) is not an option since the Koofr Vault is protected with client-side encryption.
2. Hacked accounts
Another critical factor to consider when using client-side encrypted cloud storage is the strength of your account password. If your password isn’t strong enough and someone manages to guess it or hacks into your account, they could gain full access to all your (encrypted) files. In such a case, your file encryption becomes irrelevant, as a potential attacker could decrypt all your files.
Conversely, when you use a separate client-side encryption add-on, such as a Koofr Vault, even if someone guesses your account password or hacks into your account, they cannot see the Safe Boxes (vaults) contents. They are secured with unique passwords, different from your account credentials, ensuring that only you can access their contents.
But remember: it is crucial to always protect your account with a strong password and 2-factor authentication. And always choose a different password for your vault than the one used for your account.
3. WebDAV
Cloud storage services typically offer more than just file storage – they provide different features, and many of them also support WebDAV.
With client-side encrypted cloud storage services, integrating WebDAV becomes more complex because the files stored in the cloud are encrypted, while WebDAV itself doesn’t provide encryption. To use WebDAV, a special proxy service must run on your device to encrypt files before sending them to the server. This limits WebDAV to devices where you can run this proxy service.
At Koofr, we aim to provide you with the best of both: WebDAV and client-side encrypted cloud storage. We believe WebDAV is a valuable addition to cloud storage and want to offer you the option to use it with Koofr. With WebDAV, you can connect many devices to Koofr, and some of them even encrypt files with their own encryption. However, you can’t use WebDAV with Koofr Vault.
4. Use Koofr as client-side encrypted cloud storage
What's also worth mentioning is that if you select cloud storage with a client-side encryption add-on and wish to encrypt all your files, you can fully utilize all your storage space in your vault.
With Koofr, you can store all your files within the Koofr Vault, ensuring the security of client-side encrypted cloud storage. Just remember, the number of Safe Boxes depends on your chosen storage plan.
When choosing a cloud storage service, consider your specific needs. Remember that cloud storage services are very secure nowadays, but it’s good to enhance the protection of your files with client-side encryption. Fortunately, you can choose between client-side encrypted cloud storage services by default or opt for cloud storage services with an additional client-side encryption add-on.
Why doesn’t Koofr offer the possibility to connect your Koofr account to providers that have client-side encryption?
To add any client-side encrypted services to our service and have them work the same as other clouds would mean we would have to keep users' passwords for those services on our servers and decrypt the files. We do not want to keep such things in our databases, as they are private passwords and should only be kept by the users. This is why we have not and will not be adding client-side encrypted services to Koofr.
Want to talk to us? Join us on the Koofr subreddit!