Zero-Knowledge Encryption
ZestSSH’s Cloud Sync uses a zero-knowledge encryption architecture. This means your data is encrypted on your device before it ever leaves, and the server never has access to your encryption keys or unencrypted data.
Availability: Cloud Sync tier ($24.99 one-time) — All platforms
How It Works
Section titled “How It Works”Encryption Process
Section titled “Encryption Process”- You set a sync password when enabling Cloud Sync. This password is never sent to the server.
- Key derivation: Your password is processed through Argon2id — a memory-hard key derivation function designed to resist brute-force attacks — to produce an encryption key.
- Data encryption: All your data (connections, keys, snippets, settings) is encrypted locally using AES-256-GCM (Galois/Counter Mode), an authenticated encryption algorithm that provides both confidentiality and integrity.
- Upload: Only the encrypted blob is uploaded to the sync server. The server stores ciphertext that it cannot decrypt.
Key Derivation with Argon2id
Section titled “Key Derivation with Argon2id”Argon2id is the winner of the Password Hashing Competition and is specifically designed to:
- Resist GPU-based brute-force attacks through memory-hardness.
- Resist side-channel attacks through a hybrid approach combining Argon2i and Argon2d.
- Make each password guess computationally expensive.
Your sync password is the only secret needed to decrypt your data. Choose a strong, unique password.
AES-256-GCM Encryption
Section titled “AES-256-GCM Encryption”AES-256-GCM provides:
- 256-bit encryption: The highest standard AES key size, used by governments and military worldwide.
- Authenticated encryption: Every encrypted block includes an authentication tag that detects tampering. If anyone modifies the encrypted data, decryption will fail rather than producing corrupted output.
- Unique nonces: Each encryption operation uses a unique nonce to ensure identical data produces different ciphertext.
What Zero-Knowledge Means
Section titled “What Zero-Knowledge Means”- The server never sees your password. Key derivation happens entirely on your device.
- The server cannot read your data. It stores only encrypted blobs.
- Affluent Labs cannot access your data. Even in response to legal requests, only encrypted data exists on the server.
- If you lose your password, your data is unrecoverable through normal means. This is the trade-off of true zero-knowledge encryption. However, a recovery key is provided — see below.
Recovery Key
Section titled “Recovery Key”When you enable Cloud Sync, ZestSSH generates a recovery key. This is a one-time backup key that can decrypt your data if you forget your sync password.
- Store your recovery key safely. Write it down or save it in a password manager.
- The recovery key is shown only once during setup.
- Without either your password or recovery key, your synced data cannot be recovered.
Security Summary
Section titled “Security Summary”| Component | Algorithm | Purpose |
|---|---|---|
| Key derivation | Argon2id | Derive encryption key from password |
| Data encryption | AES-256-GCM | Encrypt and authenticate data |
| Architecture | Zero-knowledge | Server never has access to keys or plaintext |