In cryptography, a zero-knowledge proof is a method by which one party (the prover) can demonstrate to another (the verifier) that they know something, without revealing what that something is. It's a precisely defined concept with formal properties. The term has a specific meaning in the academic literature, and that meaning does not include "we promise not to look."
The privacy services industry borrowed the term, stripped it of its precision, and started applying it to any service where the company doesn't hold your encryption keys in plaintext. That's a much lower bar — and some services don't even clear that.
The Actual Requirement
For an email or messaging service to make a meaningful zero-knowledge claim, the following must be true:
- Encryption keys are derived client-side from your passphrase, never from server-assigned credentials
- The passphrase itself never leaves your device — not even as a hash of itself
- The server receives only ciphertext; it does not hold the plaintext key or the passphrase
- Key derivation uses a strong, slow function (PBKDF2 with 100k+ iterations, or Argon2id)
- If you forget your passphrase, the service cannot recover your data — because it never had the key
That last point is the tell. Services that offer password reset via email, or account recovery via support ticket, or "emergency recovery codes" stored on their servers, are not zero-knowledge. They have a key. They've just chosen not to use it — which is a policy, not a cryptographic guarantee.
What Most Services Actually Do
The pattern most "zero-knowledge" email services follow is closer to this:
- You choose a passphrase
- The service derives an authentication credential from it (often the passphrase hashed with bcrypt or Argon2)
- Your passphrase is also used to derive an encryption key — client-side
- That encryption key wraps your private key, which the server stores as an encrypted blob
- At login, you authenticate, download the encrypted key blob, and decrypt it locally
This is genuinely better than storing keys in plaintext. The server cannot read your email contents. If someone breaches the database, they get encrypted blobs, not your messages.
But here's what this model does not protect against:
- A compromised login page — if the service delivers malicious JavaScript that exfiltrates your passphrase before key derivation, they have your key
- Legal compulsion to deliver modified software — a court order to deliver a login page that phones home your passphrase is a real threat vector for commercial web apps
- Metadata — who you email, when, from what IP, is usually not encrypted at all
A native app (iOS, Android, desktop) is harder to retroactively compromise via a server-side code change than a web app. The code you downloaded is the code you run. This is one concrete security advantage of native apps over pure web-based email clients.
The Two-Key Model
A well-designed zero-knowledge system uses your passphrase to derive two separate credentials through distinct derivation paths:
- Authentication credential — what you send to the server to prove identity. Never usable as an encryption key.
- Wrapping key — used locally to decrypt your encryption key blob. Never leaves your device. Never sent to the server.
The separation is the point. If the authentication credential is compromised — say, through a database breach — an attacker gets something they can use to log in, but not something they can use to decrypt your data. Decrypting your data requires the wrapping key, which the server has never seen.
Haven derives both from your passphrase using PBKDF2 with different salts:
authPassword = PBKDF2(passphrase, "haven-auth:" + email, 210,000 rounds, SHA-256)wrappingKey = PBKDF2(passphrase, "db_key:" + email, 210,000 rounds, SHA-256)
The auth password goes to the server. The wrapping key stays local — it decrypts your randomly-generated 256-bit database master key, which was stored on the server only in encrypted form. The server has never seen the wrapping key, and cannot derive it from the auth password (they're independent PBKDF2 outputs with different salts).
This is the same model ProtonMail uses for their "zero access" encryption, and it's the same model that makes ProtonMail unable to recover your account if you forget your passphrase. Haven applies the same principle.
What Even This Model Can't Protect Against
Honest disclosure is part of what zero-knowledge actually requires. No current commercial email service protects against:
- Metadata analysis — timing, frequency, sender/recipient graphs, message sizes. These reveal significant information about communication patterns even without message content.
- Device compromise — if your device is compromised, your keys are accessible. Encryption protects data in transit and at rest on the server, not from an attacker who has your unlocked phone.
- Legal compulsion targeting the application itself — a secret court order to modify the app before the next update is a real (if unlikely) threat for high-value targets.
Knowing these limitations isn't a reason to give up on encrypted email. It's a reason to understand what you're buying and to calibrate your expectations accordingly. Encrypted email dramatically raises the cost of surveillance. It does not make it impossible for a determined nation-state adversary.
How to Audit a Service's Claim
Before trusting a "zero-knowledge" claim, ask these questions:
- Can I recover my account without my passphrase? If yes, it's not zero-knowledge — the service holds a key.
- Is the source code open? Proprietary code makes independent verification impossible.
- Has it been independently audited? Audits aren't perfect, but they're better than self-assessment.
- Does the login happen in a native app or a browser? Web apps are more vulnerable to server-side code substitution.
- What does the privacy policy actually say about data sharing with governments? "We comply with lawful orders" is different from "we cannot comply because we don't have your key."
The Takeaway
Zero-knowledge encryption, properly implemented, provides a meaningful and important protection: the service genuinely cannot read your content, and a breach of their servers reveals nothing about what you wrote. That's a real guarantee worth having.
But it requires the technical implementation to match the marketing claim. Client-side key derivation with separated auth and encryption paths, no recovery mechanism that bypasses the passphrase, and an open codebase that allows verification. Without those, "zero knowledge" is a promise without a mechanism.
Read the technical documentation of any service you trust with sensitive communication. If they can't explain how key derivation works and where the passphrase goes, assume the answer is "we have it."